Closed
Bug 87654
Opened 23 years ago
Closed 23 years ago
OCSP causes Cert Manager to become dreadfully slow
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.1
People
(Reporter: javi, Assigned: javi)
Details
(Keywords: relnote, Whiteboard: [ckritzer])
Attachments
(1 file)
10.25 KB,
patch
|
Details | Diff | Splinter Review |
On NT, I've got a profile with lots of certs that use the AIA extension (this is the extensions that specifies the URL for OCSP). When I try to open the Certficate Manager, loading it takes a *very* long time. If I then turn off OCSP, Cert Manager loads at a normal speed once again. We need to figure out how to prevent the dreaded slow-down we're currently seeing with OCSP enabled.
Setting target to 2.0 in the hopes that we can at least identify the problem or a workaround before we ship.
Priority: -- → P2
Target Milestone: --- → 2.0
Updated•23 years ago
|
Keywords: nsenterprise
Assignee | ||
Comment 3•23 years ago
|
||
Failure->P1
Assignee | ||
Comment 5•23 years ago
|
||
I started playing with this, and it appears that the overhead of OCSP is big enough to cause loading of the cert manager to become dreadfully slow. So I propose the following: 1) When getting the purposes, always turn off OCSP. This gives us the advantage of knowing what the certificate would be good for if OCSP were successful and reducing the number of OCSP operations required to load the certificate manager. 2) If OCSP is enabled then, then "Verified" column gets some graphic or text in essence saying "Shall I go ahead with the OCSP operation?" and if the user clicks on the text/graphic then we go ahead with the OCSP operation. This is bad because it can cause problem evenif the OCSP responder is up and running successfully. :( Thoughts anyone?
Javi's proposal is to delay OCSP verification until the user manually initiates it, which would be after the window was painted. To close the loop, the Verified column could display "true", "false", and "true, pending OCSP". We'd then need to add a "Validate OCSP now" button. That would turn "true, pending OCSP" into either "true" or "false". Now, what happens if you hit that button and you get "false". You're going to want to know what happened by looking at the Cert Viewer. I filed bug 93703 to cover those thoughts. Javi, this bug report should just cover the initial fix (which I'm OK with). Please open a new bug which contains your ideas on the new buttons. We can put those into a future release.
Assignee | ||
Comment 8•23 years ago
|
||
Comment 9•23 years ago
|
||
r=ddrinan.
Comment 10•23 years ago
|
||
sr=blizzard
Assignee | ||
Comment 11•23 years ago
|
||
Patch checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 12•23 years ago
|
||
Javi, are you still seeing this? I don't have a ton of certs @ home, so I'm not seeing a big slowdown on: Win2k 2001-08-10-10-trunk Commercial MacOSX 2001-08-10-05-trunk Commercial - I'll verify when I get in on Monday as well, but if you could take a quick look, that'd be great. Thanks - Kritzer
Updated•23 years ago
|
Whiteboard: [ckritzer]
Comment 13•23 years ago
|
||
chris, If you don't see a big slowdown that's because Javi's fixed the bug. It used to be that if you used the third OCSP option (specify the signer and url) to some inexistant value the application would basically be so slow as to be unusable. Not seeing this is verifying the bug.
Comment 14•23 years ago
|
||
Marking VERIFIED FIXED on: - MacOS91 2001-08-21-04-trunk (commercial) - MacOS_X 2001-08-21-05-trunk (commercial) - LinRH62 2001-08-21-06-trunk (commercial) - Win98SE 2001-08-21-11-trunk (commercial) Not seeing any slowdowns.
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•