Open Bug 579606 Opened 10 years ago Updated 4 years ago
Multiple OCSP requests should be performed in parallel
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:22.214.171.124) Gecko/20100625 Firefox/3.6.6 When visiting EV sites in Firefox (NSS LibPKIX), multiple OCSP requests in a certificate chain are not performed in parallel. Using packet sniffers, we can observe that each OCSP request are serialized and blocked. Considering that each OCSP request may take hundreds of milliseconds to complete, sending them in parallel should significantly reduce the load time of EV sites. Reproducible: Always Steps to Reproduce: 1. Start packet sniffer (e.g. Wireshark) to log OCSP packets 2. Visit an EV site in Firefox 3.6 Actual Results: OCSP requests of intermediate certs and leaf certs are serialized and blocked. Expected Results: Multiple OCSP requests should be performed in parallel. This issue could also be observed on all HTTPS sites in Linux Chrome (which uses NSS LibPKIX to verify certificates.)
The data in the attached waterfall chart was generated using an instrumented Linux Chromium loading https://www.google.com with an empty cache.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Yep, I agree. Is this something better done at the NSS, or PSM level?
Both, cooperatively. It's definitely going to require a pretty big change to NSS. Today, NSS has a synchronous (blocking) callback API by which it calls out to Firefox's http client to send the OCSP requests and get the OCSP responses. Some minor work on that would be needed, a flag to say "It's OK to return before you're done" and a return value that says "I returned before I got a result", and then a major addition is needed to provide a way for NSS to be notified when the result finally arrives (or times out or whatever). Then NSS must be changed to remember uncompleted revocation checks, and go back and finish them when the result comes in. THAT might be the biggest change of all. We'd want to make it in only one of our two cert validation libraries, the one on which Firefox relies for EV, libPKIX.
Any news on the fix? It's been five years...
You need to log in before you can comment on or make changes to this bug.