Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- Subject: Re: [Fed-Talk] Memory usage spikes when viewing Signed Emails
- From: "Shawn A. Geddis" <email@hidden>
- Date: Tue, 28 Aug 2007 19:14:53 -0400
Mike,
The 'ocspd' is the daemon for processing all CRL / OCSP requests. You
are seeing extensive cpu utilization associated with access or
attempted access to the corresponding CRLDistribution.
(Side Note: To the best of my knowledge, all DoD CAC are still be
issued Certs with URIs for CRL Distribution Points rather than URIs
for OCSP (AIA Extensions)).
Examples of what you will see in your Certificates:
Extension CRL Distribution Points ( 2 5 29 31 )
Critical NO
URI ldap://ds-4.c3pki.den.disa.mil/cn=DOD CLASS 3
CA-6, ou=PKI, ou=DoD, o=U.S. .....
Since the DoD CRL Distribution Points can be more than overloaded,
Several sites within DoD began installing OCSP Validators (Server-side
service) to handle OCSP requests --- much less overhead than the CRL
method.
The problem you are seeing is that the Certificate has the CRL
Distribution Point and the Server defined there is probably either
overloaded or not responding properly, so the ocspd process continues
to attempt to pull the CRL database down and is itself holding up the
works.
As the end user, you have the ability to somewhat manage/set how the
success or failure to the servers (for CRL/OCSP requests) impacts the
validation of certificates.
Tool: /Applications / Utilities / Keychain Access
Menu Option: Keychain Access -> Preferences -> Certificates
You can set the "Certificate Revocation list (CRL) to:
* OFF
* Best Attempt
* Require if Cert Indicates
* Require for All Certs
Setting to best attempt will indeed make the best attempt to access
the CRL Distribution Point to ensure it has the most recent list of
CRLs. If it is unable to, it will default and use the cached list.
You can view the CRL Cached list via the following command:
certtool y k=/var/db/crls/crlcache.db
You can also flush the cache via the following command:
crlrefresh r
_Shawn
On Aug 28, 2007, at 5:57 PM, Mike Jackson wrote:
That email from Shawn today with the subject "Re: [Fed-Talk] Mac
Ownership & Permissions (UNCLASSIFIED)". Anything from Tim Miller
(Sorry Tim.. ;-) ) and a few others. This is with Apple Mail on
10.4.10. Nothing else is special about the system unless you count
all the developer stuff from Apple that has been installed.
Ok. I did some digging and using those superpowers that Activity
Monitor grants me, the culprit seems to be 'ocspd', which when I
tried to view a signed email that was on this list a few days ago,
the memory spiked to 800MB and locked up the GUI for about 30
seconds. Is this normal?
--
Mike Jackson Senior Research Engineer
Innovative Management & Technology Services
On Aug 28, 2007, at 5:46 PM, Bill Wagner wrote:
That really can't be answered without knowing more information:
1. How big are the e-mails and/or the data contained in them?
2. Are the e-mails self signed or are they checked against a public
key?
3. Is this custom software as in that provided in a package developed
for you or is it off the shelf with no modification.
4. Is this happening on all signed e-mails or just some of them?
5. Do you know what type of signing algorithms are being used?
If they're simple text e-mails and everything is off the shelf, I
would think you might want to assume this is some type of OS bug.
If the e-mails contain data such as images or reports of any type,
then it means the e-mail and every byte of data in the included
documents or images is likely being hashed through a signing
algorithm to check its validity. This can be pretty memory and CPU
intensive, but I have to admit unless this is being done to mega-
documents or mega-images, eating up 700M sounds pretty inefficient.
I would need more information to even hazard a guess.
Bill Wagner
http://www.scsc-online.com
inefficient.Mike Jackson wrote:
Why does my computer (Mac Book Pro, 2GB Ram, 160GB Drive) seem to
lock up and the memory usage spike ( to about 700MB) every time I
try to view a signed email? This is getting to the point where I
am about to put a filter to just delete anything from those
people I know sign their emails.. just getting frustrating.
This is with OS X 10.4.10. There is always lots of Ram available
when this happens as I monitor it with a utility constantly. The
same thing happens with Safari when I log into the US Air Force
Web Mail site with my CAC.
Thanks for any help.
--
Mike Jackson
imikejackson & gmail * com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden