Now that I am a Certificate Authority (CA), I am ready to revisit some SSL timing woes from a few nights back. Specifically, I was seeing 700ms+ for SSL negotiation. Some of that was due to the imposed 100ms round trip time (RTT) on my little network, but that was still high.
To see if I can eliminate some of that, I am going to replace my faux SSL certificate with a real one signed by my new CA. First, I need to generate my private key and an associated certificate request (which will be sent to my CA):
➜ ~ openssl genrsa -out spdy.key 1024Now, with my CA hat on, I sign the certificate request:
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
➜ ~ openssl req -new -key spdy.key -out spdy.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Maryland]:
Locality Name (eg, city) :
Organization Name (eg, company) [EEE Computes, LLC]:
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) :spdy.local
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
➜ ~ openssl ca -out ./CA/newcerts/spdy.crt -in spdy.csrAfter copying my private key and signed certificate to the spdy.local VM, I access the SPDY server to find that the new certificate is, indeed, working:
Using configuration from /home/cstrom/local/ssl/openssl.cnf
Enter pass phrase for ./CA/private/cakey.pem:
Check that the request matches the signature
Serial Number: 2 (0x2)
Not Before: Jul 28 00:18:46 2011 GMT
Not After : Jul 27 00:18:46 2012 GMT
countryName = US
stateOrProvinceName = Maryland
organizationName = EEE Computes, LLC
commonName = spdy.local
emailAddress = email@example.com
X509v3 Basic Constraints:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Certificate is to be certified until Jul 27 00:18:46 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Looking at the networking tab of Chrome's developer tools (the only thing available to me since Speed Tracer is broken), I see that SSL negotiation is cut down:
Much better. It is still 400ms, but on a 100ms RTT network that may be the best I can hope for.
Before calling it a night, I try out the SPDY server push implementation. Observing in the network tab again, I see:
Hrm... The images are certainly pushed quickly, but for some reason the CSS and JS are taking longer in SPDY server push than in normal requests.
about:net-internals, but about:net-internals seems hopelessly broken in my current Chrome (14.0.835.0 dev):
Ugh. Well, I will leave that as mystery for tomorrow. For the time being, I am going to get back to finishing off SPDY Book.