Closed Bug 87654 Opened 23 years ago Closed 23 years ago

OCSP causes Cert Manager to become dreadfully slow

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.1

People

(Reporter: javi, Assigned: javi)

Details

(Keywords: relnote, Whiteboard: [ckritzer])

Attachments

(1 file)

Patch that disables OCSP when in Cert Manager.
10.25 KB, patch
Details | Diff | Splinter Review 
On NT, I've got a profile with lots of certs that use the AIA extension (this is
the extensions that specifies the URL for OCSP).  When I try to open the
Certficate Manager, loading it takes a *very* long time.  If I then turn off
OCSP,  Cert Manager loads at a normal speed once again.

We need to figure out how to prevent the dreaded slow-down we're currently
seeing with OCSP enabled.
Setting target to 2.0 in the hopes that we can at least identify the problem or
a workaround before we ship.
Priority: -- → P2
Target Milestone: --- → 2.0
Target 2.0 -> 2.1
Keywords: relnote
Target Milestone: 2.0 → 2.1
Keywords: nsenterprise
Failure->P1
P1
Priority: P2 → P1
I started playing with this, and it appears that the overhead of OCSP is big
enough to cause loading of the cert manager to become dreadfully slow.

So I propose the following:
1) When getting the purposes, always turn off OCSP.  This gives us the advantage
of knowing what the certificate would be good for if OCSP were successful and
reducing the number of OCSP operations required to load the certificate manager.

2) If OCSP is enabled then, then "Verified" column gets some graphic or text in
essence saying "Shall I go ahead with the OCSP operation?" and if the user
clicks on the text/graphic then we go ahead with the OCSP operation.  

This is bad because it can cause problem evenif the OCSP responder is up and
running successfully.  :(

Thoughts anyone?
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Javi's proposal is to delay OCSP verification until the user manually initiates
it, which would be after the window was painted. 
To close the loop, the Verified column could display "true", "false", and "true,
pending OCSP".  We'd then need to add a "Validate OCSP now" button. That would
turn "true, pending OCSP" into either "true" or "false".

Now, what happens if you hit that button and you get "false".  You're going to
want to know what happened by looking at the Cert Viewer. I filed bug 93703 to
cover those thoughts.

Javi, this bug report should just cover the initial fix (which I'm OK with). 
Please open a new bug which contains your ideas on the new buttons.  We can put
those into a future release.
Keywords: patch
r=ddrinan.
sr=blizzard
Patch checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Javi, are you still seeing this?  I don't have a ton of certs @ home, so I'm 
not seeing a big slowdown on:
Win2k  2001-08-10-10-trunk Commercial
MacOSX 2001-08-10-05-trunk Commercial

 - I'll verify when I get in on Monday as well, but if you could take a quick 
look, that'd be great.

Thanks - Kritzer
Whiteboard: [ckritzer]
chris,
If you don't see a big slowdown that's because Javi's fixed the bug.
It used to be that if you used the third OCSP option (specify the signer and
url) to some inexistant value the application would basically be so slow as to
be unusable. Not seeing this is verifying the bug.

Marking VERIFIED FIXED on:
- MacOS91 2001-08-21-04-trunk (commercial)
- MacOS_X 2001-08-21-05-trunk (commercial)
- LinRH62 2001-08-21-06-trunk (commercial)
- Win98SE 2001-08-21-11-trunk (commercial)


Not seeing any slowdowns.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: