Closed Bug 468423 Opened 15 years ago Closed 13 years ago

https is very slow if OCSP server connection fails

Categories

(Core :: Security: PSM, defect)

1.9.0 Branch
x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 508633

People

(Reporter: james, Assigned: KaiE)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

Since I updated to Firefox 3.0.4 some https sites have been loading extremely slowly. bugzilla seems to be fine, but paypal.com and my banking site (url given) are like wading through treacle. IE7 has no problem with them.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Version: unspecified → 3.0 Branch
Please retest in safe-mode: http://support.mozilla.com/en-US/kb/Safe+Mode
If the problem is still there you could try these options:
http://support.mozilla.com/en-US/kb/Basic+Troubleshooting
Done all that, except for uninstalling and then reinstalling, which seems inappropriate given the nature of the problem.
Could you please create and try a new profile ?
http://support.mozilla.com/en-US/kb/Managing+profiles

We can not reproduce this issue and that means that this msut be something on your side. reinstalling Firefox will not help but it could be some security Software on your system that is causing this,
A new profile doesn't help, and security software doesn't affect it.

The same sites that are slow in 3.0.4 crash in Firefox 3.0.3 beta 5 for Linux, while bugzilla.mozilla.org doesn't, so there must be something different about them, as well. I suppose we'll have to wait until someone else runs into the problem and see what we have in common.
I've now got FF 3.0.5 on another computer, and it loads the same sites with no problem at all. BUT: in the address bar there is a green bar showing the name of the company. On the slow one, there is only the blue box on the left around the document icon. So I suppose it's something related to verification..?
Do you use some kind of firewall on your system ?
This looks like that the SSL OSCP request is blocked.
I use the the Windows firewall, but turning it off makes no difference.

It turns out the difference isn't in the computer, but in the Internet connection: connecting at home through my ADSL router Firefox and Internet Explorer are both unable to establish the identity of the site owner. But only Firefox goes into a sulk and slows down, both under Windows and under Linux.
Disable OSCP for a test in tools/advanced/encryption/validation.

It seems you ADSL router is broken, be sure that you didn't enabled a Firewall on the router, you are still protected if your router does NAT
Disabling OCSP works around the problem.

Checking "Validate all certificates using the following OCSP server" works around the problem.

Checking "When an OCSP server connection fails, treat the certificate as invalid" produces error code: sec_error_ocsp_server_error

I would still see it as a defect in Firefox that it slows down drastically in a situation in which it has been told to continue to work.

(The router is meant to do NAT. There is no firewall, as such, except that unsolicited incoming packets have nowhere to go. Defining this computer as a DMZ doesn't fix the problem. Strange.)
Fixing the router solved the problem.
Severity: major → normal
Summary: some https pages load very very slowly → https is very slow if OCSP server connection fails
Don't enable DMZ, the NAT will not protect you anymore, it's better to live without OSCP !
What fixed your issue with your router ?

I don't think this is valid because NSS/PSM waits for a timeout in this case.
Assignee: nobody → kaie
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: 3.0 Branch → 1.9.0 Branch
I can see that there should be a delay while Firefox tries to get the identity information. But when it has failed once, it shouldn't keep trying again several times and waiting for the timeout while loading each page.

Router fixed by general reset.

And yes, don't set a DMZ unless you really know what you're doing! We are all trained professionals who spend half our life in hospital! Don't try this at home!
Sorry, i don't know at which knowledge level a reporter is :-)

A OSCP timeout usually means that the OSCP server itself has temporary issues....
As per comment #10:
> Fixing the router solved the problem.

Mark as Resolved WFM?
It hasn't recurred and no-one else has reported it, so that would be reasonable. On the other hand, it shouldn't be too difficult to inform the user of OSCP failure, and it could have security implications under some circumstances.
(In reply to comment #15)
> On the other hand, it shouldn't be too difficult to inform the user
> of OSCP failure, and it could have security implications under some
> circumstances.

In that case perhaps I think it'd be better to resolve as WFM and file a separate bug titled something like "inform the user of OSCP failures". I'd open it myself, but I'm pretty lost as how to describe it, component affected, etc. Looks good?
(In reply to comment #16)
> resolve as WFM and file a
> separate bug titled something like "inform the user of OSCP failures"

Sounds good.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → DUPLICATE
You need to log in before you can comment on or make changes to this bug.