SSL negotiation was slow, I tried Cloudflare SSL

It’s been a long time coming.

I don’t need any specific level of security here on this blog, but I want it to be fast.

I tried quite a few SSL certificates over the years, here and for clients’ sites, including ZeroSSL, RapidSSL, Comodo, Symantec, Let’s Encrypt of course, and some others which names I can’t recall. Cause they were all just the same — 300-400 ms.

SSL negotiation was slow, I tried Cloudflare SSL

Yeah, :/. But at least not higher, and I had other things to care about. But one day I saw this.

Well, you call it the last drop because it’s the last one, right?

The result

Before: a fast server located close to my audience was doing just fine (I didn’t use any proxy or CDN here before). But this slow SSL thing adding 300-500ms (and sometimes 1.7s as you see above!) to my site load was spoiling all the niceness of the fast-performing website I have here!

The result: and though this blog loads quite fast nevertheless, when I had a spare evening to try out another SSL certificate I did it. The best result I managed to get was from Cloudflare:

15-60 ms for SSL negotiation, cool!

Also it’s free to use. And issued for 15(!) years. And allows wildcards.

And a word of warning:

Please, note that this blog loads quite fast, so -400ms is a noticeable improvement. If your site loads slower than 5s you might want to invest your time to find more important bottlenecks first.

How to check your SSL certificate is slow?

With any of these tools:

  • just open Chrome DevTools -> Network tab (you’ll need to CTRL+F5 to refresh the page and to get the process of loading pictured)
  • or run a test on WebPageTest.org and check the waterfall
  • or even bytecheck.com

Here are few things to know before (against) using Cloudflare:

  • Using Cloudflare (or other CDN/proxy) won’t be the best choice for many! Depends where your audience is, what kind of server you’ve got, where it is located, and many more, including your company infrastructure too sometimes! Check out this article.
  • You can not use an SSL certificate from Cloudflare without using their nameservers and proxy.
  • But you can use it without caching though. Just nameservers, SSL certificate, and proxy.
  • If you decided using CDN is not the best choice for your business, check out also the speed of your current nameservers — you might want to use Cloudflare nameservers only (without proxy, without caching, without SSL) — they are really fast, and free.

If considering all the above, you think your site would benefit from using Cloudflare (DNS + proxy + SSL), here is how-to:

The entire process took me about an hour, 50 minutes of which I spent talking with hosting support on step 3. It was not easy to import a certificate there, but if you have cPanel on your hosting account or SSH all these should take you not longer than 20 mins.

1. Add your site to Cloudflare account

… and follow the instructions.

2. Add your server IP to A record under DNS section in Cloudflare

3. Turn the proxy on (orange cloud)

4. Point your domain to their nameservers

By the way, CF nameservers are really fast! And free, again.

So, head over to where you domain is hosted (this can be different from where the site files are hosted) and update nameserver records

Quick check

At this point, your domain should be hosted on Cloudflare’s nameservers, CF is pointed to your hosting and traffic goes through their proxy. To see if its so, check IP address or headers in Chrome DevTools. It should Cloudflare’s IP there not your hosting anymore, and the headers would say traffic goes through Cloudflare.

5. Issue SSL certificate from CloudFlare

Until now everything was pretty usual. What we going to do now is to issue an SSL certificate at Cloudflare to use it later on our server.

Navigate to SSL -> Origin server -> Create certificate

Important:

  • you have to save private key before you click ok
  • you have to click ok before you move to next step and try to import certificate, otherwise it’s not saved

4. Tell your hosting to use a certificate from Cloudflare instead of Let’s Encrypt or any other

This might easy or might be not, depending on your hosting provider (for instance, Siteground just moved away from cPanel and they don’t provide SSH in all plans, which makes this a bit tricky).

In cPanel it’s pretty straightforward, if you have SSH access it’s pretty easy too.

Here is how to import SSL certificate from Cloudflare using cPanel:

A note about security

I don’t really need SSL on my blog – nothing is happening here, it’s just a blog, no one registers, no one leaves their data. I would happily stay with HTTP if it wouldn’t bring my site down by telling people it’s not safe. But other sites have other requirements, be aware that if you need the highest level of security you have to choose Full (strict) here, as all other options are not 100% safe (picture that explains).

Wrap up

Though the results do show some inconsistency, to get -400ms in site load just in 20 mins totally worth I think.

And a sweet bonus — no more “Your SSL certificate is about to expire” notifications for another 15 years. For free 🙂

Tell me in comments if you did the same, how it worked? I’d love to know!

Share this stuff:

Leave a Reply

Your email address will not be published. Required fields are marked *