Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- Subject: Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- From: Zachary Heaton <email@hidden>
- Date: Thu, 20 Oct 2016 12:21:31 +0000
- Thread-topic: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Unfortunately, I’ve been seeing this behavior on OS X fairly continuously since the 10.12 release, not just over the last two days. I’d be very interested to know if AESD identifies an outage that could be contributing to the problem, but there seems to be an independent Mac-specific issue in play here as well.
Thanks,
Zach Heaton
> On 20 Oct 2016, at 08:05, Coradeschi, Thomas J CIV USARMY PEO AMMO (US) <email@hidden> wrote:
>
> I see the same thing on Windows the last 2 days and have an open AESD trouble ticket on it.
>
>
> Tom Coradeschi
> Chief, Systems Engineering and Technology Integration Div
> PM Maneuver Ammunition Systems
> NIPR: email@hidden SIPR: email@hidden
> 973-724-4344 (ofc) 862-251-3089 (cell)
> -------------
> Original Message
> From: Zachary Heaton
> Sent: Wednesday, October 19, 2016 9:46 PM
> To: email@hidden
> Subject: [Non-DoD Source] [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
>
>> All,
>>
>> I’m seeing two potentially related problems on macOS Sierra, and would appreciate any insight the group can bring to bear.
>>
>> 1.) Signed e-mail messages (in both Outlook 2011 and Mail.app) are extremely slow to view. By my stopwatch, clicking on a signed e-mail message in Mail.app causes a delay of just over a minute (1:15) until the message renders. Outlook 2011 beachballs for a solid 2:40 before rendering.
>>
>> 2.) I’m seeing a *lot* of attempts in my console logs to receive OCSP responses and CRLs, and the frequency of these messages appears to spike when viewing signed e-mails. I suspect - but cannot confirm - that delays in CRL/OCSP processing are causing the signed mail handling delays I’m seeing in Mail.app and Outlook.
>>
>> To provide some context to “a lot of attempts,” here’s trustd trying to get the DISA CRL ten times in two minutes on behalf of Mail.app:
>>
>>> default 21:23:31.219821 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.319768 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.723304 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.729636 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:03.390202 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.294463 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.703974 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.710549 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:50.110875 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:25:27.925725 -0400 trustd asynchronously fetching CRL (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>
>> I’m also seeing very frequent OCSP/CRL requests even when Mail.app and Outlook 2011 are closed, including repeated requests to fpkia.gsa.gov (which doesn’t respond to HTTP) and frequent skipped requests to LDAP-hosted CRLs. Here’s nine timeouts against fpkia.gsa.gov within a minute:
>>
>>> default 21:31:09.006026 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:16.490212 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:31:23.490405 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:31:30.986900 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:43.184087 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:50.184833 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:57.186106 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:32:04.190366 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:32:11.688503 -0400 trustd Timeout during GET Caution-http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>
>> I’ve tried turning OCSP and CRL “Off” in Keychain Access, but am still getting these symptoms.
>>
>> Is anyone else seeing either of these issues on their systems, and/or does anyone have insight into possible solutions?
>>
>> Regards,
>> Zach Heaton
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden