Lag impact of SSL certificates

When purchasing (or getting/generating a free one) a SSL certificate the end-user performance is often overlooked (in most cases even unknown). I am not talking about selecting a bigger number of bits, always get the best available which has the support of the clients.

There is a second more sinister impact of securing data connections with a certificate, the chain length.

When getting a cheaper certificate the chain is usually longer, so there are more steps for the browser to perform, sure performing OCSP stapling mitigates this for most browsers.

But consider other connections which do not support this technology (smtp, imap, pop, mysql (including Mariadb), in fact most non https connections), this is were our problems start. For each connection most of these technologies have to re-verify the complete chain!

But after that the pain is far from over, please consider the party that has to respond to all these requests. After recently switching from StartSSL (paid, DV) to Comodo (DV) the average connection initialization time has seen a reduction of 40~50%!

This also has a measurable effect to the complete server, less open connections means more resources for doing useful stuff (it even has a considerable impact on the life of the IT staff, no more lag when moving emails about).


A pretty significant improvement for a simple upgrade, and it didn’t even require digging much deeper into my wallet.