Closed Bug 1867794 Opened 1 year ago Closed 1 year ago

Abnormally long TCP connection phase when using security.enterprise_roots.enabled in Firefox 120

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 120
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox120 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix

People

(Reporter: yannis, Unassigned, NeedInfo)

References

Details

(Keywords: regression, regressionwindow-wanted)

+++ This bug was initially created as a clone of Bug #1867035 +++

thammer is experiencing what looks like a regression in Firefox 120 in link with networking, when using security.enterprise_roots.enabled, causing delays on requests to websites that use these entreprise root certificates. They included a link to a performance profile where we can see a request for which the TCP connection phase takes 21 seconds.

From thammer in bug 1867035 comment 6

My company is having this issue as well.

Firefox 120 (no add-ons) on Windows 10/11. Website takes 5-15 seconds to respond, after which the site works normally. If a subsequent request (say AJAX...we have many) the process starts over.

So far I've only noticed the issue with our internal entrprise sites. This setup has been working fine until employees began updating to FF120.

The setup we have been using before FF120 is as follows: We distribute our enterprise root certificate to Windows machines via Group Policy (manually installed them for MacOS) then manually enable "security.enterprise_roots.enabled" in Firefox config.

Our current workaround is to visit the workstation and manually import our enterprise root certificate directly into Firefox using Settings->View Certificates->Import. After this things work normally.

From thammer in bug 1867035 comment 7

I should point out that I tested a Windows 11 workstation (in Parallels) using FF119 first to ensure things are working as they should. I then upgraded to FF120 and the problem manifested. I should also point out that other browsers (Chrome, Edge) worked fine with our internal secure sites. Only FF120 exhibits the issue and only on our internal secure sites. I also want to mention that once the site loads, the security indicators on the URL bar appear as they should (encryption enabled). It's just the 5 to 15 second delay that's causing the issues.

From thammer in bug 1867035 comment 16

I confirmed that our enterprise root certificate doesn't appear in the list when I go to Settings->Privacy & Security->Certificates->View Certificates. I made sure that "Allow Firefox to automatically trust third-party root certificates you install" was checked. I also verified that our enterprise root certificate was installed properly via certmgr.msc->Certificates->Trusted Root Certificate Authorities->Certificates. Then I ran the profiler and uploaded it as requested: https://share.firefox.dev/47UsrpA

From thammer in bug 1867035 comment 17

I also noticed that my Firefox version had auto-updated to 120.0.1 and the problem still happens

Summary: Some users are experiencing a persistent startup delay after Firefox 120 update → Abnormally long TCP connection phase when using security.enterprise_roots.enabled in Firefox 120

Looks like cert component issue, please pass back to us if it's not the case.

Component: Networking → Security: PSM

Can you gather a new profile with the custom threads "GeckoMain,Socket Thread,ssl,osclientcert"? Thanks!

Flags: needinfo?(thammer)
No longer blocks: 1867035
See Also: → 1867035
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.