We talked a bit in the meeting about this. It looks like we hold our SSL sessions open for 30 minutes but we have a maximum of 6000 sessions across all the AMO domains. I think we run through that in seconds so it's not really getting any caching at all.
We should investigate increasing the ssl!cache!size flag on zeus and see if our performance improves. As a baseline measurement, the purple on this graph is all SSL handshaking time:
Will test by bumping up to 1m. Should eat about 700MB of mem (so next to nothing).
Created attachment 417037 [details]
SSL Session ID hit rate
Point of reference, current SSL session cache hit rate is about 85%
Created attachment 417046 [details]
Hits & Miss pre change
Changes made and ZXTM restarted right now.
Created attachment 417164 [details]
Hits & Misses post settings change.
Looks about the same, but the size is now set @ 1,000,000. I think versioncheck is probably throwing off the graphs since almost no one will be reusing their SSL session.
Looks like the multiple ssl negotiation wasn't due to session expiration. IE opens 6 connections/host, I think it may have to create a new ssl session for each connection.