March 10, 2009

Note to WordPress on SSL

Filed under: Network,Protocols,Security — Nate Lawson @ 5:42 pm

Dear WordPress/Automattic:

Your servers do not offer SSL session resumption. This means that every response contains a server certificate (3807 bytes) and your server has to perform a 2048-bit RSA decryption. This occurs for every piece of data fetched over SSL, even the tiny button pictures that are smaller than the certificate itself.

WP SSL Server Hello message

You should really enable SSL session resumption. It will save a lot of money in server cost and bandwidth, and your users will be happier too.


[Edit: WordPress staff replied that this was a mistake in their configuration and now this is fixed.]


  1. Hi,

    Thanks for letting us know. This was actually an unintentional side effect of some software upgrades we completed a while back. I have fixed it so that a valid Session ID should now be issued and session resumption should work as expected. Are things faster for you now?

    Comment by Barry — March 11, 2009 @ 10:37 pm

  2. Out of curiosity, which software upgrade was it?

    Comment by Matt — March 12, 2009 @ 1:44 am

  3. Barry, yes, that worked. I see sessions being resumed now (server hello/change cipher spec/etc.) However, you definitely have a lot of duplicate acks, reordering, zero-window size advertisements and other strangeness going on there. So while it’s a bit faster now, there may be other issues.

    Comment by Nate Lawson — March 12, 2009 @ 9:24 am

  4. Was this on an nginx-based frontend load balancer?

    I know wordpress.com switched over to it in it’s stack. Wondering if it was a configuration change involved there or not.

    Comment by mike — May 18, 2009 @ 3:08 pm

  5. Good catch! Is it all fixed on 2.8.4?

    Comment by Brent Rangen — September 29, 2009 @ 5:39 am

RSS feed for comments on this post.

Blog at WordPress.com.

%d bloggers like this: