Open Bug 579606 Opened 10 years ago Updated 4 years ago

Multiple OCSP requests should be performed in parallel


(NSS :: Libraries, enhancement)

Not set


(Not tracked)


(Reporter: linshunghuang, Unassigned)



(Keywords: perf)


(1 file)

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100625 Firefox/3.6.6

When visiting EV sites in Firefox (NSS LibPKIX), multiple OCSP requests in a certificate chain are not performed in parallel. Using packet sniffers, we can observe that each OCSP request are serialized and blocked. Considering that each OCSP request may take hundreds of milliseconds to complete, sending them in parallel should significantly reduce the load time of EV sites.

Reproducible: Always

Steps to Reproduce:
1. Start packet sniffer (e.g. Wireshark) to log OCSP packets
2. Visit an EV site in Firefox 3.6
Actual Results:  
OCSP requests of intermediate certs and leaf certs are serialized and blocked.

Expected Results:  
Multiple OCSP requests should be performed in parallel.

This issue could also be observed on all HTTPS sites in Linux Chrome (which uses NSS LibPKIX to verify certificates.)
The data in the attached waterfall chart was generated using an instrumented Linux Chromium loading with an empty cache.
See Also: → 234135
Ever confirmed: true
Keywords: perf
Yep, I agree. Is this something better done at the NSS, or PSM level?
Hardware: x86 → All
Both, cooperatively.  It's definitely going to require a pretty big change 
to NSS.  Today, NSS has a synchronous (blocking) callback API by which it
calls out to Firefox's http client to send the OCSP requests and get the 
OCSP responses.  Some minor work on that would be needed, a flag to say 
"It's OK to return before you're done" and a return value that says "I 
returned before I got a result", and then a major addition is needed to 
provide a way for NSS to be notified when the result finally arrives (or 
times out or whatever).  

Then NSS must be changed to remember uncompleted revocation checks, and go 
back and finish them when the result comes in.  THAT might be the biggest 
change of all.  We'd want to make it in only one of our two cert validation
libraries, the one on which Firefox relies for EV, libPKIX.
Any news on the fix? It's been five years...
You need to log in before you can comment on or make changes to this bug.