Closed
Bug 918120
Opened 11 years ago
Closed 11 years ago
Reduce the OCSP timeout values
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: cviecco, Assigned: cviecco)
Details
(Whiteboard: [qa-])
Attachments
(1 file, 5 obsolete files)
|
1.26 KB,
patch
|
briansmith
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
No description provided.
|
Assignee | |
Comment 1•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Attachment #806958 -
Flags: review?(dkeeler)
Comment on attachment 806958 [details] [diff] [review] reduce-ocsp-timeout Review of attachment 806958 [details] [diff] [review]: ----------------------------------------------------------------- As part of this, I think you should revert the patch that landed in bug 404059. ::: security/manager/ssl/src/nsNSSComponent.cpp @@ +930,5 @@ > CERT_SetOCSPFailureMode( ocspRequired ? > ocspMode_FailureIsVerificationFailure > : ocspMode_FailureIsNotAVerificationFailure); > + if (ocspRequired) { > + CERT_SetOCSPTimeout(5); I'm not sure it's worth setting a different timeout in the case of require ocsp (particularly since all of 2 people have it set). I'd be open to discussion, though.
Attachment #806958 -
Flags: review?(dkeeler) → review-
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to David Keeler (:keeler) from comment #2) > Comment on attachment 806958 [details] [diff] [review] > reduce-ocsp-timeout > > Review of attachment 806958 [details] [diff] [review]: > ----------------------------------------------------------------- > > As part of this, I think you should revert the patch that landed in bug > 404059. It is tempting to remove, but that patch affects all HTTP requests issued on behalf of NSS. I just want to affect the OCSP timeouts. (which are dominated only by latency/network reachability). > > ::: security/manager/ssl/src/nsNSSComponent.cpp > @@ +930,5 @@ > > CERT_SetOCSPFailureMode( ocspRequired ? > > ocspMode_FailureIsVerificationFailure > > : ocspMode_FailureIsNotAVerificationFailure); > > + if (ocspRequired) { > > + CERT_SetOCSPTimeout(5); > > I'm not sure it's worth setting a different timeout in the case of require > ocsp (particularly since all of 2 people have it set). I'd be open to > discussion, though. Actually we discussed it with bsmith yesterday and deiced to leave the timeout at 10 secs for users with required ocsp. And it was .1% of users of that study which is a few hundred thousand (not including to TBB).
|
|
Assignee | |
Comment 4•11 years ago
|
||
Attachment #806958 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•11 years ago
|
Attachment #807259 -
Flags: review?(brian)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → cviecco
|
|
Assignee | |
Comment 5•11 years ago
|
||
|
|
Assignee | |
Comment 6•11 years ago
|
||
Attachment #808022 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 7•11 years ago
|
||
Attachment #808023 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•11 years ago
|
||
Comment on attachment 808024 [details] [diff] [review] reduce-ocsp-timeout (alt v1.2) Review of attachment 808024 [details] [diff] [review]: ----------------------------------------------------------------- what do you think of this alternative... I think it is clearer but if you think the other one is better please let me know.
Attachment #808024 -
Flags: feedback?(dkeeler)
Comment on attachment 808024 [details] [diff] [review] reduce-ocsp-timeout (alt v1.2) Review of attachment 808024 [details] [diff] [review]: ----------------------------------------------------------------- I like this alternative better. ::: security/manager/ssl/src/nsNSSComponent.cpp @@ +930,5 @@ > CERT_SetOCSPFailureMode( ocspRequired ? > ocspMode_FailureIsVerificationFailure > : ocspMode_FailureIsNotAVerificationFailure); > > + int OCSPTimeoutSecs = 2; Maybe ocspTimeoutSeconds?
Attachment #808024 -
Flags: feedback?(dkeeler) → feedback+
|
|
Assignee | |
Comment 10•11 years ago
|
||
Attachment #807259 -
Attachment is obsolete: true
Attachment #808024 -
Attachment is obsolete: true
Attachment #807259 -
Flags: review?(brian)
Attachment #815576 -
Flags: review?(honzab.moz)
|
||
Comment 11•11 years ago
|
||
Comment on attachment 815576 [details] [diff] [review] reduce-ocsp-timeout Review of attachment 815576 [details] [diff] [review]: ----------------------------------------------------------------- I looked at how Microsoft's stack does things, which is a 15 second timeout: http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx I support doing this as a stepping stone to turning OCSP fetching off by default. This patch will have a similar affect as that for people who have very, very slow networks, and I don't think the the speed of your network should be much of a factor here. So, if you agree with turning OCSP fetching off by default for everybody soon, go ahead and check in this patch. You didn't include a test for this change. How did you test it?
Attachment #815576 -
Flags: review?(honzab.moz) → review+
|
|
Assignee | |
Comment 12•11 years ago
|
||
I tested it via wireshark... With the current code in central I could test it via a mochitest site (to EV verification and time the time it takes to fallback to dv) or wait until the thin certverify idl lands and do more testing there. I agree lack of tests is not the best. Do you want to up the timeout to 15 secs when ocsp is required?
https://hg.mozilla.org/mozilla-central/rev/5ee559599846
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
||
Comment 14•11 years ago
|
||
Comment on attachment 815576 [details] [diff] [review] reduce-ocsp-timeout [Approval Request Comment] Bug caused by (feature/regressing bug #): None. User impact if declined: None. Testing completed (on m-c, etc.): None. Risk to taking this patch (and alternatives if risky): Very little. String or IDL/UUID changes made by this patch: None. Basically this will reduce the OCSP timeout for people that haven't made OCSP required. This is good because we have data that shows that some TLS handshakes are waiting for this timeout to continue! :(
Attachment #815576 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
Attachment #815576 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 15•11 years ago
|
||
This landed on Aurora. https://hg.mozilla.org/releases/mozilla-aurora/rev/639866593563
status-firefox26:
--- → fixed
status-firefox27:
--- → fixed
|
||
Comment 17•11 years ago
|
||
Can you please answer to comment 16 so that QA can verify this as soon as possible?
Flags: needinfo?(cviecco)
|
|
Assignee | |
Comment 18•11 years ago
|
||
1. Chose any non-ev site. 2. Load it in FF, view the certificate and note the hostname in the OCSP URL iformation (this is located under the Authority Information Access extension of the ceritifate 3. Modify the /etc/hosts file (in OSX, Linux. I think there is an equivalent in windows) so that the hostname for the ocsp is routed to your localmachine (127.0.0.1). 4. Stop FF/ 5. Start a packet capture 6. Start Firefox and go to the site chosen in step 1. 7. Stop the capture 8. Open wireshark. 9. Verify that the ocsp reqest is going to your machine. 10. Notice the timing between the server hello message and the time actual data is being sent in the tls/ssl protected stream. It should be more than 2 and less than 4 seconds.
Flags: needinfo?(cviecco)
|
|
Assignee | |
Comment 19•11 years ago
|
||
Note: a value slightly higher than 4 is also acceptable.
|
|
||
Comment 20•11 years ago
|
||
Thank you for the STR! I couldn't reproduce the initial issue with the provided steps and navigating to http://www.linkedin.com/. Could you please advice what else can I try in order to reproduce this issue? On Firefox 26 beta 8 (Build ID: 20131125215016) on Windows 7 64bit, Ubuntu 12.04 64bit and Mac OS X 10.8.5 I get the following results: - Windows: the timing between the server hello message and the time actual data is being sent is 4.313 seconds - Ubuntu: the timing is 0.306 seconds - Mac OS X: the timing is 3.013 seconds On all 3 platforms the OCSP Request is going to my machine. Could you please confirm based on this screenshot: http://goo.gl/H8MWKY that the values (marked with red line) are the good ones? Although, the timing for Ubuntu is way too small.
Flags: needinfo?(cviecco)
|
|
Assignee | |
Comment 21•11 years ago
|
||
The values from the screenshot look good. My guess for the difference between ubuntu and others is that you have an actual server http server running on your box or you are sending a tcp rst packet. Making the connection close fast, for windows and OSX my guess is that there is nothing waiting for the tcp-syn and thus firefox need to wait for the actual timeouts.
Flags: needinfo?(cviecco)
|
|
||
Comment 22•11 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #21) > My guess for the difference > between ubuntu and others is that you have an actual server http server > running on your box or you are sending a tcp rst packet. On Firefox 26 beta 10 (Build ID: 20131202182626) I get the same results as in comment 20: on Windows and Mac OS X the values are good and on Ubuntu is under 1. Since I cannot get a value between 2 and 4, can you please take a look on Ubuntu to confirm that this is verified ? Thanks.
Flags: needinfo?(cviecco)
|
|
Assignee | |
Comment 23•11 years ago
|
||
Ubuntu is fine (from M-C). Thank you Alexandra
Flags: needinfo?(cviecco)
|
||
Comment 24•11 years ago
|
||
Removing the keyword since QA can't reproduce, ergo verify this.
Keywords: verifyme
|
||
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•