Re: [Fed-Talk] [Non-DoD Source] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Re: [Fed-Talk] [Non-DoD Source] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- Subject: Re: [Fed-Talk] [Non-DoD Source] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- From: "Coradeschi, Thomas J CIV USARMY PEO AMMO (US)" <email@hidden>
- Date: Thu, 20 Oct 2016 12:05:16 +0000
- Thread-topic: [Non-DoD Source] [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
I see the same thing on Windows the last 2 days and have an open AESD trouble ticket on it.
Tom Coradeschi
Chief, Systems Engineering and Technology Integration Div
PM Maneuver Ammunition Systems
NIPR: email@hidden SIPR: email@hidden
973-724-4344 (ofc) 862-251-3089 (cell)
-------------
Original Message
From: Zachary Heaton
Sent: Wednesday, October 19, 2016 9:46 PM
To: email@hidden
Subject: [Non-DoD Source] [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
----
All,
I’m seeing two potentially related problems on macOS Sierra, and would appreciate any insight the group can bring to bear.
1.) Signed e-mail messages (in both Outlook 2011 and Mail.app) are extremely slow to view. By my stopwatch, clicking on a signed e-mail message in Mail.app causes a delay of just over a minute (1:15) until the message renders. Outlook 2011 beachballs for a solid 2:40 before rendering.
2.) I’m seeing a *lot* of attempts in my console logs to receive OCSP responses and CRLs, and the frequency of these messages appears to spike when viewing signed e-mails. I suspect - but cannot confirm - that delays in CRL/OCSP processing are causing the signed mail handling delays I’m seeing in Mail.app and Outlook.
To provide some context to “a lot of attempts,” here’s trustd trying to get the DISA CRL ten times in two minutes on behalf of Mail.app:
> default 21:23:31.219821 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:23:33.319768 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:23:33.723304 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:23:33.729636 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:24:03.390202 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:24:12.294463 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:24:12.703974 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:24:12.710549 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:24:50.110875 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> default 21:25:27.925725 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
I’m also seeing very frequent OCSP/CRL requests even when Mail.app and Outlook 2011 are closed, including repeated requests to fpkia.gsa.gov (which doesn’t respond to HTTP) and frequent skipped requests to LDAP-hosted CRLs. Here’s nine timeouts against fpkia.gsa.gov within a minute:
> default 21:31:09.006026 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> default 21:31:16.490212 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> default 21:31:23.490405 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> default 21:31:30.986900 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> default 21:31:43.184087 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> default 21:31:50.184833 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> default 21:31:57.186106 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> default 21:32:04.190366 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> default 21:32:11.688503 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
I’ve tried turning OCSP and CRL “Off” in Keychain Access, but am still getting these symptoms.
Is anyone else seeing either of these issues on their systems, and/or does anyone have insight into possible solutions?
Regards,
Zach Heaton
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden