Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- Subject: Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- From: Zachary Heaton <email@hidden>
- Date: Fri, 21 Oct 2016 02:06:50 +0000
- Thread-topic: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
David,
I am not using any third party modules, just the Sierra native support. Thanks for the suggestion!
Regards,
Zach Heaton
> On 20 Oct 2016, at 11:47, David Mueller <email@hidden> wrote:
>
> Are you using any 3rd party smart card modules such as CACkey? I noticed with CACkey many signed emails wouldn’t open at all in Mail.app; possibly those signed by certain DoD CAs. Though it may just have been that I didn’t wait long enough. With CACkey removed and using only Sierra’s native smart card support I haven’t seen the same slowdown.
>
> - David
>
>> On Oct 19, 2016, at 6:45 PM, Zachary Heaton <email@hidden> wrote:
>>
>> All,
>>
>> I’m seeing two potentially related problems on macOS Sierra, and would appreciate any insight the group can bring to bear.
>>
>> 1.) Signed e-mail messages (in both Outlook 2011 and Mail.app) are extremely slow to view. By my stopwatch, clicking on a signed e-mail message in Mail.app causes a delay of just over a minute (1:15) until the message renders. Outlook 2011 beachballs for a solid 2:40 before rendering.
>>
>> 2.) I’m seeing a *lot* of attempts in my console logs to receive OCSP responses and CRLs, and the frequency of these messages appears to spike when viewing signed e-mails. I suspect - but cannot confirm - that delays in CRL/OCSP processing are causing the signed mail handling delays I’m seeing in Mail.app and Outlook.
>>
>> To provide some context to “a lot of attempts,” here’s trustd trying to get the DISA CRL ten times in two minutes on behalf of Mail.app:
>>
>>> default 21:23:31.219821 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.319768 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.723304 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:23:33.729636 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:03.390202 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.294463 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.703974 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:12.710549 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:24:50.110875 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>> default 21:25:27.925725 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>
>> I’m also seeing very frequent OCSP/CRL requests even when Mail.app and Outlook 2011 are closed, including repeated requests to fpkia.gsa.gov (which doesn’t respond to HTTP) and frequent skipped requests to LDAP-hosted CRLs. Here’s nine timeouts against fpkia.gsa.gov within a minute:
>>
>>> default 21:31:09.006026 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:16.490212 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:31:23.490405 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:31:30.986900 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:43.184087 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:50.184833 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>> default 21:31:57.186106 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:32:04.190366 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>> default 21:32:11.688503 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>
>> I’ve tried turning OCSP and CRL “Off” in Keychain Access, but am still getting these symptoms.
>>
>> Is anyone else seeing either of these issues on their systems, and/or does anyone have insight into possible solutions?
>>
>> Regards,
>> Zach Heaton
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden