If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

OCSP causes Cert Manager to become dreadfully slow

VERIFIED FIXED in psm2.1

Status

Core Graveyard
Security: UI
P1
normal
VERIFIED FIXED
17 years ago
a year ago

People

(Reporter: Javier Delgadillo, Assigned: Javier Delgadillo)

Tracking

({relnote})

1.0 Branch
psm2.1
x86
Windows NT
relnote

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ckritzer])

Attachments

(1 attachment)

(Assignee)

Description

17 years ago
On NT, I've got a profile with lots of certs that use the AIA extension (this is
the extensions that specifies the URL for OCSP).  When I try to open the
Certficate Manager, loading it takes a *very* long time.  If I then turn off
OCSP,  Cert Manager loads at a normal speed once again.

We need to figure out how to prevent the dreaded slow-down we're currently
seeing with OCSP enabled.

Comment 1

17 years ago
Setting target to 2.0 in the hopes that we can at least identify the problem or
a workaround before we ship.
Priority: -- → P2
Target Milestone: --- → 2.0

Comment 2

17 years ago
Target 2.0 -> 2.1

Keywords: relnote
Target Milestone: 2.0 → 2.1

Updated

17 years ago
Keywords: nsenterprise
(Assignee)

Comment 3

16 years ago
Failure->P1

Comment 4

16 years ago
P1
Priority: P2 → P1
(Assignee)

Comment 5

16 years ago
I started playing with this, and it appears that the overhead of OCSP is big
enough to cause loading of the cert manager to become dreadfully slow.

So I propose the following:
1) When getting the purposes, always turn off OCSP.  This gives us the advantage
of knowing what the certificate would be good for if OCSP were successful and
reducing the number of OCSP operations required to load the certificate manager.

2) If OCSP is enabled then, then "Verified" column gets some graphic or text in
essence saying "Shall I go ahead with the OCSP operation?" and if the user
clicks on the text/graphic then we go ahead with the OCSP operation.  

This is bad because it can cause problem evenif the OCSP responder is up and
running successfully.  :(

Thoughts anyone?

Comment 6

16 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 7

16 years ago
Javi's proposal is to delay OCSP verification until the user manually initiates
it, which would be after the window was painted. 
To close the loop, the Verified column could display "true", "false", and "true,
pending OCSP".  We'd then need to add a "Validate OCSP now" button. That would
turn "true, pending OCSP" into either "true" or "false".

Now, what happens if you hit that button and you get "false".  You're going to
want to know what happened by looking at the Cert Viewer. I filed bug 93703 to
cover those thoughts.

Javi, this bug report should just cover the initial fix (which I'm OK with). 
Please open a new bug which contains your ideas on the new buttons.  We can put
those into a future release.





(Assignee)

Comment 8

16 years ago
Created attachment 45134 [details] [diff] [review]
Patch that disables OCSP when in Cert Manager.
(Assignee)

Updated

16 years ago
Keywords: patch

Comment 9

16 years ago
r=ddrinan.
sr=blizzard
(Assignee)

Comment 11

16 years ago
Patch checked in.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 12

16 years ago
Javi, are you still seeing this?  I don't have a ton of certs @ home, so I'm 
not seeing a big slowdown on:
Win2k  2001-08-10-10-trunk Commercial
MacOSX 2001-08-10-05-trunk Commercial

 - I'll verify when I get in on Monday as well, but if you could take a quick 
look, that'd be great.

Thanks - Kritzer

Updated

16 years ago
Whiteboard: [ckritzer]

Comment 13

16 years ago
chris,
If you don't see a big slowdown that's because Javi's fixed the bug.
It used to be that if you used the third OCSP option (specify the signer and
url) to some inexistant value the application would basically be so slow as to
be unusable. Not seeing this is verifying the bug.

Comment 14

16 years ago
Marking VERIFIED FIXED on:
- MacOS91 2001-08-21-04-trunk (commercial)
- MacOS_X 2001-08-21-05-trunk (commercial)
- LinRH62 2001-08-21-06-trunk (commercial)
- Win98SE 2001-08-21-11-trunk (commercial)


Not seeing any slowdowns.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

9 years ago
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.