Cert validation gets blocked by main thread because of sync XPCOM proxy / sync dispatch to main thread

RESOLVED DUPLICATE of bug 1137538

Status

()

Core
Security: PSM
--
critical
RESOLVED DUPLICATE of bug 1137538
7 years ago
2 years ago

People

(Reporter: briansmith, Unassigned)

Tracking

(Blocks: 1 bug, {perf})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

+++ This bug was initially created as a clone of Bug #679140 +++
+++ This bug was initially created as a clone of Bug #679036 +++

Currently, we use call nsNSSSocketInfo::GetPreviousCert during certificate chain validation in the SSL handshake, which uses an synchronous XPCOM proxy to the main thread.in proxies in the processing of SSL errors (e.g. reporting errors). This is done because we try to avoid validating the certificate for EV (which is expensive) by grabbing the nsIX509Cert object from the DocShell assocated with the socket (if any). Instead of using the DocShell as an caching, we can implement an explicit cache to avoid syncing the SSL thread on the main thread.
Summary: Remove SSL error processing on the main thread → Socket transport thread gets blocked by main thread during SSL handshake because of sync XPCOM proxy / sync dispatch to main thread
Created attachment 553388 [details] [diff] [review]
Cache SSL certificate EV status explicitly, instead of implicitly in DocShell

This patch removes access to the DocShell (and thus the synchronization between the SSL thread and the main thread) during the SSL handshake, by creating an explicit cache for SSL certificate EV status.
Attachment #553388 - Flags: review?(kaie)
Comment on attachment 553388 [details] [diff] [review]
Cache SSL certificate EV status explicitly, instead of implicitly in DocShell

Isn't this patch conflicting with Attachment 562076 [details] [diff] ?
Comment on attachment 553388 [details] [diff] [review]
Cache SSL certificate EV status explicitly, instead of implicitly in DocShell

Honza, I an working on another implementation of this patch now, which will apply on top of the other XPCOM-removal patches.
Attachment #553388 - Attachment is obsolete: true
Attachment #553388 - Flags: review?(kaie)

Comment 4

7 years ago
Is this bug a dup of anything else or are there any patches that in progress?
No longer blocks: 675221
No longer blocks: 436379
Summary: Socket transport thread gets blocked by main thread during SSL handshake because of sync XPCOM proxy / sync dispatch to main thread → Cert validation gets blocked by main thread during certificate validation because of sync XPCOM proxy / sync dispatch to main thread
Depends on: 754365
Summary: Cert validation gets blocked by main thread during certificate validation because of sync XPCOM proxy / sync dispatch to main thread → Cert validation gets blocked by main thread because of sync XPCOM proxy / sync dispatch to main thread
Assignee: brian → nobody
I believe this was addressed in bug 1137538.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1137538
You need to log in before you can comment on or make changes to this bug.