Over the weekend, many visitors using Chrome to access sites hosted on our WordPress platform will have found that some of those sites seem to be slightly slower then normal. These sites will all have the same thing in common which is that they are running over HTTPS. All sites on our WordPress platform that have an SSL certificate installed make use of HTTP/2 by default, this provides a significant performance increase when loading multiple HTTP requests, for instance a page and then images on that page.
Unfortunately as of Chrome version 51, visitors using the Chrome browser will be forced back to HTTP/1.1 and therefore a slower loading site.
The reason for this is a change in Chrome, meaning that it will only communicate over HTTP/2 with servers supporting ALPN. This is included in OpenSSL version 1.0.2 but in common with many providers, our servers use OpenSSL version 1.0.1 as included in all current versions of CentOS.
Unlike many pieces of software, OpenSSL is used by lots of services and systems as well as software within the operating system. Consequently updating OpenSSL means updating and separately managing the updates of all theses services away from the normal package manager. We would then have to maintain these separate packages until CentOS 8 was released. This is not likely before mid-2017 at the earliest. For certain pieces of software we already do this, for example we build our own version of Nginx on WordPress Hosting rather than use that provided by CentOS. It is unfortunately not practical for us to do this for a core element such as OpenSSL.
We are not alone. Of the major Linux distributions only Ubuntu 16.04 LTS comes with support for OpenSSL 1.0.2 and consequently this will be affecting most hosts.