Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- Subject: Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 20 Oct 2016 12:34:27 +0000
- Thread-topic: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
This sounds very like the cross cert problem. You want to look for any of the FBCA cross certs and remove them or mark them explicitly untrusted. There's a Windows tool for this at http://iase.disa.mil/pki-pke/Pages/tools.aspx. It can affect Macs as well but there's no tool; you'll have to do it manually in Keychain Access. The IASE tool'suser guide (available at the same page) tells you which certs to look for.
-- T
> -----Original Message-----
> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
> bounces+tmiller=email@hidden] On Behalf Of Zachary Heaton
> Sent: Thursday, October 20, 2016 7:22 AM
> To: email@hidden
> Cc: Coradeschi, Thomas J CIV USARMY PEO AMMO (US)
> <email@hidden>
> Subject: Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP
> attempts on 10.12
>
> Unfortunately, I’ve been seeing this behavior on OS X fairly continuously
> since the 10.12 release, not just over the last two days. I’d be very interested
> to know if AESD identifies an outage that could be contributing to the
> problem, but there seems to be an independent Mac-specific issue in play
> here as well.
>
> Thanks,
> Zach Heaton
>
> > On 20 Oct 2016, at 08:05, Coradeschi, Thomas J CIV USARMY PEO AMMO
> (US) <email@hidden> wrote:
> >
> > I see the same thing on Windows the last 2 days and have an open AESD
> trouble ticket on it.
> >
> >
> > Tom Coradeschi
> > Chief, Systems Engineering and Technology Integration Div PM Maneuver
> > Ammunition Systems
> > NIPR: email@hidden SIPR:
> > email@hidden
> > 973-724-4344 (ofc) 862-251-3089 (cell)
> > -------------
> > Original Message
> > From: Zachary Heaton
> > Sent: Wednesday, October 19, 2016 9:46 PM
> > To: email@hidden
> > Subject: [Non-DoD Source] [Fed-Talk] Signed e-Mail sluggishness,
> > overly-aggressive OCSP attempts on 10.12
> >
> >> All,
> >>
> >> I’m seeing two potentially related problems on macOS Sierra, and would
> appreciate any insight the group can bring to bear.
> >>
> >> 1.) Signed e-mail messages (in both Outlook 2011 and Mail.app) are
> extremely slow to view. By my stopwatch, clicking on a signed e-mail
> message in Mail.app causes a delay of just over a minute (1:15) until the
> message renders. Outlook 2011 beachballs for a solid 2:40 before rendering.
> >>
> >> 2.) I’m seeing a *lot* of attempts in my console logs to receive OCSP
> responses and CRLs, and the frequency of these messages appears to spike
> when viewing signed e-mails. I suspect - but cannot confirm - that delays in
> CRL/OCSP processing are causing the signed mail handling delays I’m seeing
> in Mail.app and Outlook.
> >>
> >> To provide some context to “a lot of attempts,” here’s trustd trying to get
> the DISA CRL ten times in two minutes on behalf of Mail.app:
> >>
> >>> default 21:23:31.219821 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:23:33.319768 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:23:33.723304 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:23:33.729636 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:24:03.390202 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:24:12.294463 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:24:12.703974 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:24:12.710549 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:24:50.110875 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>> default 21:25:27.925725 -0400 trustd asynchronously fetching CRL
> (Caution-http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
> >>
> >> I’m also seeing very frequent OCSP/CRL requests even when Mail.app
> and Outlook 2011 are closed, including repeated requests to fpkia.gsa.gov
> (which doesn’t respond to HTTP) and frequent skipped requests to LDAP-
> hosted CRLs. Here’s nine timeouts against fpkia.gsa.gov within a minute:
> >>
> >>> default 21:31:09.006026 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> >>> default 21:31:16.490212 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> >>> default 21:31:23.490405 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> >>> default 21:31:30.986900 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> >>> default 21:31:43.184087 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> >>> default 21:31:50.184833 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> >>> default 21:31:57.186106 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> >>> default 21:32:04.190366 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
> >>> default 21:32:11.688503 -0400 trustd Timeout during GET Caution-
> http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
> >>
> >> I’ve tried turning OCSP and CRL “Off” in Keychain Access, but am still
> getting these symptoms.
> >>
> >> Is anyone else seeing either of these issues on their systems, and/or does
> anyone have insight into possible solutions?
> >>
> >> Regards,
> >> Zach Heaton
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden