I recently encountered a frustrating scenario where my Apache server with SSL configuration would intermittently timeout on HTTPS requests while HTTP remained accessible (albeit slower). This was particularly puzzling because:
- The SSL configuration appeared correct in httpd.conf
- The site worked sometimes over HTTPS
- No errors appeared in Apache's error_log
For context, here's the relevant setup:
Operating System: CentOS 5
Web Server: Apache 2.2.11
SSL Protocol: TLSv1 + SSLv3 (explicitly configured)
Certificate: Self-signedAfter extensive testing, several potential culprits emerged:
1. SSL Handshake Timeouts
The self-signed certificate requires additional verification steps that aren't needed with HTTP. The default timeout settings might be insufficient for this negotiation.
2. Protocol Configuration Issues
The current setup uses:
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUMThis older cipher suite configuration might cause compatibility problems with modern clients.
3. KeepAlive and Browser-Specific Issues /h2>
The configuration includes special handling for IE browsers:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0This could indicate broader keepalive-related problems.
1. Adjust Timeout Directives
Add these to your VirtualHost configuration:
TimeOut 300
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 1002. Modernize SSL Protocol Settings
Update your SSL configuration to:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES
SSLHonorCipherOrder on3. Add Debugging Logging
Enable detailed SSL logging:
ErrorLog logs/ssl_error_log
LogLevel info
SSLEngine on
SSLOptions +StdEnvVars +ExportCertData
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"Use OpenSSL to test the SSL handshake:
openssl s_client -connect example.com:443 -servername example.com -tlsextdebug -statusLook for connection timing information and any handshake failures.
While self-signed certificates work, they add overhead to the connection process. Consider:
- Obtaining a free certificate from Let's Encrypt
- Adding your self-signed certificate to trusted stores
- Using a shorter key length (2048-bit instead of 4096-bit) for faster handshakes
These changes should resolve the intermittent HTTPS timeout issues while maintaining security. The key was balancing timeout settings with the additional SSL negotiation overhead, particularly with self-signed certificates.
During my recent Apache 2.2.11 configuration on CentOS 5, I encountered an intriguing issue where HTTPS connections would intermittently timeout while HTTP connections remained functional (albeit sometimes slow). The behavior appeared particularly inconsistent - sometimes the HTTPS connection would work after displaying the self-signed certificate warning, other times it would simply hang until timeout.
Here's the original VirtualHost configuration that exhibited the problem:
NameVirtualHost *:443
<VirtualHost *:443>
SuexecUserGroup foo
DocumentRoot /home/mydomain/www/
ServerName example.com
SSLEngine on
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLCertificateFile /path/example.com.com.crt
SSLCertificateKeyFile /path/example.com.key
SSLVerifyClient none
SSLProxyVerify none
SSLVerifyDepth 0
SSLProxyVerifyDepth 0
SSLProxyEngine off
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
<Directory "/home/mydomain/www">
SSLRequireSSL
AllowOverride all
Options +FollowSymLinks +ExecCGI -Indexes
AddHandler php5-fastcgi .php
Action php5-fastcgi /cgi-bin/a.fcgi
Order allow,deny
Allow from all
</Directory>
<Directory "/var/suexec/mydomain.com">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
After extensive testing, several factors emerged as potential culprits:
- SSL Handshake Timeout: The default timeout values might be too short for SSL negotiation
- Cipher Suite Compatibility: The specified cipher suites might cause negotiation delays
- Self-Signed Certificate Processing: Clients might spend excessive time validating the untrusted cert
- Apache Worker Configuration: Insufficient worker threads for SSL processing
Here's the modified configuration that resolved the issue:
<VirtualHost *:443>
# Previous configuration remains the same until...
SSLEngine on
SSLProtocol -all +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLHonorCipherOrder on
SSLCertificateFile /path/example.com.com.crt
SSLCertificateKeyFile /path/example.com.key
# Add these new directives
SSLInsecureRenegotiation off
SSLStrictSNIVHostCheck off
SSLCompression off
SSLSessionCache "shmcb:/var/log/httpd/ssl_scache(512000)"
SSLSessionCacheTimeout 300
# Timeout adjustments
Timeout 300
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
# Rest of configuration remains unchanged...
</VirtualHost>
To further diagnose SSL issues:
# Check SSL handshake with OpenSSL
openssl s_client -connect example.com:443 -showcerts -debug -state -msg
# Verify Apache SSL module loading
apachectl -M | grep ssl
# Check error logs with increased verbosity
tail -f /var/log/httpd/ssl_error_log -n 100
When dealing with SSL performance:
- Consider implementing OCSP stapling to reduce certificate validation time
- Enable session resumption to minimize full handshakes
- Monitor memory usage as SSL connections consume more resources
- Consider hardware SSL acceleration for high-traffic sites
For production environments, I strongly recommend:
- Replacing the self-signed certificate with one from a trusted CA
- Upgrading to a more recent Apache version with better TLS 1.2/1.3 support
- Implementing proper monitoring for SSL handshake failures
- Regularly reviewing cipher suite security