Closed Bug 87654 Opened 24 years ago Closed 24 years ago

OCSP causes Cert Manager to become dreadfully slow

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.1

People

(Reporter: javi, Assigned: javi)

Details

(Keywords: relnote, Whiteboard: [ckritzer])

Attachments

(1 file)

Patch that disables OCSP when in Cert Manager.
10.25 KB, patch
Details | Diff | Splinter Review
On NT, I've got a profile with lots of certs that use the AIA extension (this is the extensions that specifies the URL for OCSP). When I try to open the Certficate Manager, loading it takes a *very* long time. If I then turn off OCSP, Cert Manager loads at a normal speed once again. We need to figure out how to prevent the dreaded slow-down we're currently seeing with OCSP enabled.
Setting target to 2.0 in the hopes that we can at least identify the problem or a workaround before we ship.
Priority: -- → P2
Target Milestone: --- → 2.0
Target 2.0 -> 2.1
Keywords: relnote
Target Milestone: 2.0 → 2.1
Keywords: nsenterprise
Failure->P1
P1
Priority: P2 → P1
I started playing with this, and it appears that the overhead of OCSP is big enough to cause loading of the cert manager to become dreadfully slow. So I propose the following: 1) When getting the purposes, always turn off OCSP. This gives us the advantage of knowing what the certificate would be good for if OCSP were successful and reducing the number of OCSP operations required to load the certificate manager. 2) If OCSP is enabled then, then "Verified" column gets some graphic or text in essence saying "Shall I go ahead with the OCSP operation?" and if the user clicks on the text/graphic then we go ahead with the OCSP operation. This is bad because it can cause problem evenif the OCSP responder is up and running successfully. :( Thoughts anyone?
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Javi's proposal is to delay OCSP verification until the user manually initiates it, which would be after the window was painted. To close the loop, the Verified column could display "true", "false", and "true, pending OCSP". We'd then need to add a "Validate OCSP now" button. That would turn "true, pending OCSP" into either "true" or "false". Now, what happens if you hit that button and you get "false". You're going to want to know what happened by looking at the Cert Viewer. I filed bug 93703 to cover those thoughts. Javi, this bug report should just cover the initial fix (which I'm OK with). Please open a new bug which contains your ideas on the new buttons. We can put those into a future release.
Keywords: patch
r=ddrinan.
sr=blizzard
Patch checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Javi, are you still seeing this? I don't have a ton of certs @ home, so I'm not seeing a big slowdown on: Win2k 2001-08-10-10-trunk Commercial MacOSX 2001-08-10-05-trunk Commercial - I'll verify when I get in on Monday as well, but if you could take a quick look, that'd be great. Thanks - Kritzer
Whiteboard: [ckritzer]
chris, If you don't see a big slowdown that's because Javi's fixed the bug. It used to be that if you used the third OCSP option (specify the signer and url) to some inexistant value the application would basically be so slow as to be unusable. Not seeing this is verifying the bug.
Marking VERIFIED FIXED on: - MacOS91 2001-08-21-04-trunk (commercial) - MacOS_X 2001-08-21-05-trunk (commercial) - LinRH62 2001-08-21-06-trunk (commercial) - Win98SE 2001-08-21-11-trunk (commercial) Not seeing any slowdowns.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: