Closed Bug 140247 Opened 23 years ago Closed 18 years ago

OCSP: Mozilla freezes when trying to view digitaly signed message.

Categories

(MailNews Core :: Security: S/MIME, defect, P2)

Other Branch
x86
Windows 98

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: tjibbe, Unassigned)

References

Details

(Keywords: hang, Whiteboard: OCSP [kerh-bra])

When trying to view a digitaly signed message on usenet with mailnews, Mozilla
freezes.

I have Mozilla set to use OCSP to validate only messages that specify an OCSP
service URL.

Steps to reproduce

In Preferences: go to Privacy & Security - Validation
set: Use OCSP to validate only messages that specify an OCSP service URL.

Go to news:netscape.public.mozilla.builds
Try to view a digaitaly signed message, a TRUNK tree status message for instance.

Result:
Mozilla now totaly freezes up until it has contacted the OCSP server
(certificates.netscape.com:80 in this case). It is not even possible to go to
another Mozilla windows. After contacting the server, Mozilla returns to normal
operation.

Expected result:
Mozilla should contact the OCSP service in the background, without freezing up
entirely.

Workaround:
Do not use OCSP for certificate validation. (This way you can not see if a
certificate has been revoked!)
See also bug 136459 and bug 136469.

OCSP should probably be disabled for beta and release noted until we can fix
these bugs.  Activating OCSP at the moment causes breakage in the mail client.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
I will reconfirm on Win98.  Win2k and XP have some bugs related to OCSP, but the
client is not freezing.  Using the intranet server, all signed messages are
showing up with invalid signatures.

What is even cooler, is the fact that although you cannot set your preferences
to sign newsgroups, you can go through your mail account and change the type
column to 'newsgroup' and then sign the message!

Otherbugs to look at (might be the intranet server does not have OCSP URL
configured properly)
-invalid signature: reason - CA is not trusted (? - the root CA is, as is the
intermediary)
-View cert indicates that the cert has been verified for the following uses, and
then contains a null list of uses.  There is a separate bug for this already (I
think under the client lib component)
Is it possible that we only freeze, if the OCSP server is temporarily not
responding?

Another question: What happens if the user is not allowed to connect to the OCSP
server site, like a blocking firewall?
Only affect the user when OCSP is turned on.
Priority: P1 → P2
Summary: Mozilla freezes when trying to view digitaly signed message. → OCSP: Mozilla freezes when trying to view digitaly signed message.
Whiteboard: OCSP
Target Milestone: --- → Future
Blocks: 157555
Keywords: hang
Kai,

The code that talks to the OCSP server uses PR_Connect with a timeout of 30s. So
it should eventually return if the server is down.

However, it then uses PR_Write to send the OCSP request, which will block
forever if the server isn't reading the data after accepting the connection, or
the network becomes unavailable in the middle of the request. This may be what
the original reporter of this defect was seeing.

The part that reads the OCSP response now uses PR_Recv instead of PR_Send, with
a 30s timeout.
Keywords: nsbeta1
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
Product: PSM → Core
Whiteboard: OCSP → OCSP [kerh-bra]
I believe this should be fixed now, with the work in bug 111384.

I'm closing this as fixed. Please reopen if you still have this problem.
Status: NEW → RESOLVED
Closed: 18 years ago
Depends on: 111384
Resolution: --- → FIXED
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.