Closed
Bug 468423
Opened 16 years ago
Closed 15 years ago
https is very slow if OCSP server connection fails
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 508633
People
(Reporter: james, Assigned: KaiE)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Since I updated to Firefox 3.0.4 some https sites have been loading extremely slowly. bugzilla seems to be fine, but paypal.com and my banking site (url given) are like wading through treacle. IE7 has no problem with them. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Reporter | ||
Updated•16 years ago
|
Version: unspecified → 3.0 Branch
Comment 1•16 years ago
|
||
Please retest in safe-mode: http://support.mozilla.com/en-US/kb/Safe+Mode If the problem is still there you could try these options: http://support.mozilla.com/en-US/kb/Basic+Troubleshooting
Reporter | ||
Comment 2•16 years ago
|
||
Done all that, except for uninstalling and then reinstalling, which seems inappropriate given the nature of the problem.
Comment 3•16 years ago
|
||
Could you please create and try a new profile ? http://support.mozilla.com/en-US/kb/Managing+profiles We can not reproduce this issue and that means that this msut be something on your side. reinstalling Firefox will not help but it could be some security Software on your system that is causing this,
Reporter | ||
Comment 4•16 years ago
|
||
A new profile doesn't help, and security software doesn't affect it. The same sites that are slow in 3.0.4 crash in Firefox 3.0.3 beta 5 for Linux, while bugzilla.mozilla.org doesn't, so there must be something different about them, as well. I suppose we'll have to wait until someone else runs into the problem and see what we have in common.
Reporter | ||
Comment 5•16 years ago
|
||
I've now got FF 3.0.5 on another computer, and it loads the same sites with no problem at all. BUT: in the address bar there is a green bar showing the name of the company. On the slow one, there is only the blue box on the left around the document icon. So I suppose it's something related to verification..?
Comment 6•16 years ago
|
||
Do you use some kind of firewall on your system ? This looks like that the SSL OSCP request is blocked.
Reporter | ||
Comment 7•16 years ago
|
||
I use the the Windows firewall, but turning it off makes no difference. It turns out the difference isn't in the computer, but in the Internet connection: connecting at home through my ADSL router Firefox and Internet Explorer are both unable to establish the identity of the site owner. But only Firefox goes into a sulk and slows down, both under Windows and under Linux.
Comment 8•16 years ago
|
||
Disable OSCP for a test in tools/advanced/encryption/validation. It seems you ADSL router is broken, be sure that you didn't enabled a Firewall on the router, you are still protected if your router does NAT
Reporter | ||
Comment 9•16 years ago
|
||
Disabling OCSP works around the problem. Checking "Validate all certificates using the following OCSP server" works around the problem. Checking "When an OCSP server connection fails, treat the certificate as invalid" produces error code: sec_error_ocsp_server_error I would still see it as a defect in Firefox that it slows down drastically in a situation in which it has been told to continue to work. (The router is meant to do NAT. There is no firewall, as such, except that unsolicited incoming packets have nowhere to go. Defining this computer as a DMZ doesn't fix the problem. Strange.)
Reporter | ||
Comment 10•16 years ago
|
||
Fixing the router solved the problem.
Severity: major → normal
Summary: some https pages load very very slowly → https is very slow if OCSP server connection fails
Comment 11•16 years ago
|
||
Don't enable DMZ, the NAT will not protect you anymore, it's better to live without OSCP ! What fixed your issue with your router ? I don't think this is valid because NSS/PSM waits for a timeout in this case.
Assignee: nobody → kaie
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: 3.0 Branch → 1.9.0 Branch
Reporter | ||
Comment 12•16 years ago
|
||
I can see that there should be a delay while Firefox tries to get the identity information. But when it has failed once, it shouldn't keep trying again several times and waiting for the timeout while loading each page. Router fixed by general reset. And yes, don't set a DMZ unless you really know what you're doing! We are all trained professionals who spend half our life in hospital! Don't try this at home!
Comment 13•16 years ago
|
||
Sorry, i don't know at which knowledge level a reporter is :-) A OSCP timeout usually means that the OSCP server itself has temporary issues....
Comment 14•15 years ago
|
||
As per comment #10: > Fixing the router solved the problem. Mark as Resolved WFM?
Reporter | ||
Comment 15•15 years ago
|
||
It hasn't recurred and no-one else has reported it, so that would be reasonable. On the other hand, it shouldn't be too difficult to inform the user of OSCP failure, and it could have security implications under some circumstances.
Comment 16•15 years ago
|
||
(In reply to comment #15) > On the other hand, it shouldn't be too difficult to inform the user > of OSCP failure, and it could have security implications under some > circumstances. In that case perhaps I think it'd be better to resolve as WFM and file a separate bug titled something like "inform the user of OSCP failures". I'd open it myself, but I'm pretty lost as how to describe it, component affected, etc. Looks good?
Reporter | ||
Comment 17•15 years ago
|
||
(In reply to comment #16) > resolve as WFM and file a > separate bug titled something like "inform the user of OSCP failures" Sounds good.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Updated•15 years ago
|
Resolution: WORKSFORME → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•