Wednesday, July 27, 2011

SPDY and Good SSL

‹prev | My Chain | next›

Now that I am a Certificate Authority (CA), I am ready to revisit some SSL timing woes from a few nights back. Specifically, I was seeing 700ms+ for SSL negotiation. Some of that was due to the imposed 100ms round trip time (RTT) on my little network, but that was still high.

To see if I can eliminate some of that, I am going to replace my faux SSL certificate with a real one signed by my new CA. First, I need to generate my private key and an associated certificate request (which will be sent to my CA):
➜  ~  openssl genrsa -out spdy.key 1024           
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
➜ ~ openssl req -new -key spdy.key -out spdy.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Maryland]:
Locality Name (eg, city) []:
Organization Name (eg, company) [EEE Computes, LLC]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:spdy.local
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now, with my CA hat on, I sign the certificate request:
➜  ~  openssl ca -out ./CA/newcerts/spdy.crt -in spdy.csr              
Using configuration from /home/cstrom/local/ssl/openssl.cnf
Enter pass phrase for ./CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Not Before: Jul 28 00:18:46 2011 GMT
Not After : Jul 27 00:18:46 2012 GMT
countryName = US
stateOrProvinceName = Maryland
organizationName = EEE Computes, LLC
commonName = spdy.local
emailAddress =
X509v3 extensions:
X509v3 Basic Constraints:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:

Certificate is to be certified until Jul 27 00:18:46 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
After copying my private key and signed certificate to the spdy.local VM, I access the SPDY server to find that the new certificate is, indeed, working:

Looking at the networking tab of Chrome's developer tools (the only thing available to me since Speed Tracer is broken), I see that SSL negotiation is cut down:

Much better. It is still 400ms, but on a 100ms RTT network that may be the best I can hope for.

Before calling it a night, I try out the SPDY server push implementation. Observing in the network tab again, I see:

Hrm... The images are certainly pushed quickly, but for some reason the CSS and JS are taking longer in SPDY server push than in normal requests.

Overall, it saves about 300ms. That is nothing to sneeze at, but what is going on with the CSS and Javascript transfer times? I try to have a look at the SPDY tab in about:net-internals, but about:net-internals seems hopelessly broken in my current Chrome (14.0.835.0 dev):

Ugh. Well, I will leave that as mystery for tomorrow. For the time being, I am going to get back to finishing off SPDY Book.

Day #84

No comments:

Post a Comment