The cause of
At first, the opening of the community’s web page in wechat on iPhone was slow. At first, I didn’t care, thinking that the server was in Hong Kong. Suddenly one day I opened it on my Android phone and found it was much faster than on my iPhone, so I tested it several times and it was the same.
Preliminary reasons and solutions
Let’s Encrypt has been blocked by a wall, causing web pages to slow down. The administration group changed Let’s Encrypt to a certificate for another domain, but I personally don’t see much change on the iPhone.
Found more
Led a few days again, iPhone opens really let me not stand, I gg once again, discover the following article.
My.oschina.net/swingcoder/…
In addition to the issue of Let’s Encrypt being blocked, the iOS platform also involves verifying the validity of CA certificates. Look at this and you’ll see that SSL’s OCSP Stapling is involved.
Sharp-eyed students should have noticed that the “watermelon head” group in the picture above mentioned the OCSP problem. I feel ashamed because I did not understand it at that time and thought it was just the let wall problem, so I ignored it.
Wen said:
What is ocSP stapling? Simply speaking, ocSP stapling is to make the request to verify the validity of the certificate initiated by each user by the Webserver instead of the original, so that each user does not need to connect to the CA’s authentication server, relatively speaking, the access speed will not be accelerated.
To configure ocsp stapling on nginx:
ssl_stapling_verify on; Resolver 233.5.5.5 233.6.6.6 8.8.8.8 4.4.4.4 202.96.134.133 Valid =300s; resolver_timeout 2s; ssl_trusted_certificate /etc/letsencrypt/live/your.domain.com/fullchain.pem; ssl_session_cache shared:SSL:50m; ssl_session_timeout 180m;Copy the code
With a test set up, opening the community on the iPhone was noticeably faster. Perfect.
A perfect ending?
At this point, I thought the problem was solved, but there was still a question in my mind:
- Why doesn’t Android have this problem?
Today, the devil, and configure SSL of a website, in the study of the time found huo Ju’s blog:
Jhuo. Ca/post/ocsp – s…
The reason Android doesn’t have a problem is that Google is not satisfied with ocSP as a solution, so all Google products, whether Android or Chrome, don’t have OCSP checks.
He also said:
A Flutter written app occasionally had the interface freeze and even freeze for more than 10 seconds on iOS, but worked fine on Android.
Finally, this problem to today’s really perfect solution to my doubts.
To sum up:
1, use domestic SSL certificate, replace Let’s Encrypt certificate, because it uses Akamai CDN to distribute OCSP status, akamai.net is basically blocked. 2. Enable OCSP Stapling to reduce the number of HTTP requests and optimize the speed. 3. Alibaba Cloud Tencent Cloud has a one-year free certificate in China. I use freessl.cn/, asiainfo free one year, recommended.
Record and share.