是什么导致 TLS 握手延迟？

Question

下面是来自curl --trace-time https://... 的一些输出，显示 TLS 握手中间有 0.2 秒的延迟。关于为什么会这样的任何想法？我已经尝试过各种密码选项并且它仍然存在。它似乎也不是外部因素（如 DNS 查找）的结果。

13:48:11.168371 * Connected to maas.its.iastate.edu (10.24.107.84) port 443 (#0)
13:48:11.168721 * SSLv3, TLS handshake, Client hello (1):
13:48:11.168761 } [data not shown]
13:48:11.183236 * SSLv3, TLS handshake, Server hello (2):
13:48:11.183348 { [data not shown]
13:48:11.183894 * SSLv3, TLS handshake, CERT (11):
13:48:11.183938 { [data not shown]
13:48:11.375841 * SSLv3, TLS handshake, Server finished (14):
13:48:11.375898 { [data not shown]
13:48:11.376106 * SSLv3, TLS handshake, Client key exchange (16):
13:48:11.376142 } [data not shown]
13:48:11.376203 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.376240 } [data not shown]
13:48:11.376334 * SSLv3, TLS handshake, Finished (20):
13:48:11.376369 } [data not shown]
13:48:11.392527 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.392585 { [data not shown]
13:48:11.392677 * SSLv3, TLS handshake, Finished (20):
13:48:11.392715 { [data not shown]
13:48:11.392788 * SSL connection using RC4-SHA
13:48:11.392825 * Server certificate: [cert details not shown]
13:48:11.393077 *        SSL certificate verify ok.
13:48:11.393146 > GET /maas/example HTTP/1.1
13:48:11.409146 { [data not shown]
13:48:11.409438 * Closing connection #0

Answer 1

在strace 下运行它并使用-tt 选项：

http://linux.die.net/man/1/strace

类似这样的：

strace -o /output/file -f -tt curl ...

输出将向您显示挂起的位置 - 至少在确切的系统调用挂起的级别上。

Answer 2

这可能是由于证书链过大以及 TCP 启动缓慢造成的。详情请见https://stackoverflow.com/a/29199493/3081018。