What is causing a delay in TLS handshake?

Question

Below is some output from curl --trace-time https://... which shows a 0.2 second delay in the middle of the TLS handshake. Any ideas on why this might be? I've tried with various cipher options and it persists. It also doesn't appear to be the result of something external (like a DNS lookup).

13:48:11.168371 * Connected to maas.its.iastate.edu (10.24.107.84) port 443 (#0)
13:48:11.168721 * SSLv3, TLS handshake, Client hello (1):
13:48:11.168761 } [data not shown]
13:48:11.183236 * SSLv3, TLS handshake, Server hello (2):
13:48:11.183348 { [data not shown]
13:48:11.183894 * SSLv3, TLS handshake, CERT (11):
13:48:11.183938 { [data not shown]
13:48:11.375841 * SSLv3, TLS handshake, Server finished (14):
13:48:11.375898 { [data not shown]
13:48:11.376106 * SSLv3, TLS handshake, Client key exchange (16):
13:48:11.376142 } [data not shown]
13:48:11.376203 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.376240 } [data not shown]
13:48:11.376334 * SSLv3, TLS handshake, Finished (20):
13:48:11.376369 } [data not shown]
13:48:11.392527 * SSLv3, TLS change cipher, Client hello (1):
13:48:11.392585 { [data not shown]
13:48:11.392677 * SSLv3, TLS handshake, Finished (20):
13:48:11.392715 { [data not shown]
13:48:11.392788 * SSL connection using RC4-SHA
13:48:11.392825 * Server certificate: [cert details not shown]
13:48:11.393077 *        SSL certificate verify ok.
13:48:11.393146 > GET /maas/example HTTP/1.1
13:48:11.409146 { [data not shown]
13:48:11.409438 * Closing connection #0

Answer 1

Run it under strace and use the -tt option:

http://linux.die.net/man/1/strace

Something like this:

strace -o /output/file -f -tt curl ...

The output will show you where the hang is - at least at the level of exactly what system call hangs.

Answer 2

This might be caused by a large certificate chain together with TCP slow start. See https://stackoverflow.com/a/29199493/3081018 for more details.