On 24-04-2019 we noticed high SSL handshake times on some of Clients Websites. The SSL response time was from 6-35 seconds for all websites that were using Sectigo SSL Certificates (DV).

After a deep research, we confirmed that that was not an issue on our side (Servers) but on Sectigo.

 

This seems to be not a new issue.

Sectogo SSL’s seems to had such issue. Searching for similar users issues with Comodo (Later Sectigo), we found that such issue randomly happens on some users:

https://forums.cpanel.net/threads/ssl-slow-first-time.588187/

https://forums.cpanel.net/threads/any-problem-with-ocsp-comodoca-com-ssl.625667/https://forums.cpanel.net/threads/ssl-slow-first-time.588187/

Even that some users have managed to resolve this by turning off SSLUseStapling, some other did not. We confirmed today that turning off OCSP stapling will NOT resolve that issue permanently. It may resolve it temporarly but testing using remote servers (not cached), will bring back the issue.

Trying to workout with SSL Cipher Suite, will not help either. But turning off SSL3 on SSL Cipher Suite, may reduce the load.

Testing with SSLLabs and GTmetrix will confirm the issue:

Sectigo SSL

Rapid SSL

 

Timings reduced from ~>20 seconds, to 193ms (Test server Canada, Web server Germany)

 

Those tests were made on same domain. Different SSL providers tested also and the result was the same. Only Sectogo SSL’s had high response time.

 

Although Namecheap (One of Bigger Sectogo SSl’s Provider), after our research and suggestions, Confirmed the issue

https://www.namecheap.com/status-updates/archives/44364

The issue is marked as Resolved and Namecheap suggests to disable OCSP stapling.

We confirmed that disabled OCSP stapling will Not resolve this issue permanently. Disabling OCSP stapling is not recommeded anyway.

 

We want to notify our affected clients that this issue will be reasolveb by 26-04-2019. All affected certificats will be changed.