Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- Subject: Re: [Fed-Talk] Signed e-Mail sluggishness, overly-aggressive OCSP attempts on 10.12
- From: Gregory Adair <email@hidden>
- Date: Thu, 20 Oct 2016 19:17:45 -0700
- Dkim-filter: OpenDKIM Filter v2.10.3 cnssd.spawar.navy.mil u9L2HjKF015202
Zach,
I found that by trusting the smime option when selecting individuals certs in keychain, will make mail messages (in Outlook) from those individuals load much faster. This is good if you have a core team, however you still see the sluggish behavior with other signed emails. Hope this helps.
V/R,
Greg
________________
Gregory Adair
Sent from my iPhone.
> On Oct 20, 2016, at 7:06 PM, Zachary Heaton <email@hidden> wrote:
>
> David,
>
> I am not using any third party modules, just the Sierra native support. Thanks for the suggestion!
>
> Regards,
> Zach Heaton
>
>> On 20 Oct 2016, at 11:47, David Mueller <email@hidden> wrote:
>>
>> Are you using any 3rd party smart card modules such as CACkey? I noticed with CACkey many signed emails wouldn’t open at all in Mail.app; possibly those signed by certain DoD CAs. Though it may just have been that I didn’t wait long enough. With CACkey removed and using only Sierra’s native smart card support I haven’t seen the same slowdown.
>>
>> - David
>>
>>> On Oct 19, 2016, at 6:45 PM, Zachary Heaton <email@hidden> wrote:
>>>
>>> All,
>>>
>>> I’m seeing two potentially related problems on macOS Sierra, and would appreciate any insight the group can bring to bear.
>>>
>>> 1.) Signed e-mail messages (in both Outlook 2011 and Mail.app) are extremely slow to view. By my stopwatch, clicking on a signed e-mail message in Mail.app causes a delay of just over a minute (1:15) until the message renders. Outlook 2011 beachballs for a solid 2:40 before rendering.
>>>
>>> 2.) I’m seeing a *lot* of attempts in my console logs to receive OCSP responses and CRLs, and the frequency of these messages appears to spike when viewing signed e-mails. I suspect - but cannot confirm - that delays in CRL/OCSP processing are causing the signed mail handling delays I’m seeing in Mail.app and Outlook.
>>>
>>> To provide some context to “a lot of attempts,” here’s trustd trying to get the DISA CRL ten times in two minutes on behalf of Mail.app:
>>>
>>>> default 21:23:31.219821 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:23:33.319768 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:23:33.723304 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:23:33.729636 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:24:03.390202 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:24:12.294463 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:24:12.703974 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:24:12.710549 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:24:50.110875 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>> default 21:25:27.925725 -0400 trustd asynchronously fetching CRL (http://crl.disa.mil/crl/ECAROOTCA2.crl) for client (Mail[1192])
>>>
>>> I’m also seeing very frequent OCSP/CRL requests even when Mail.app and Outlook 2011 are closed, including repeated requests to fpkia.gsa.gov (which doesn’t respond to HTTP) and frequent skipped requests to LDAP-hosted CRLs. Here’s nine timeouts against fpkia.gsa.gov within a minute:
>>>
>>>> default 21:31:09.006026 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>>> default 21:31:16.490212 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>>> default 21:31:23.490405 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>>> default 21:31:30.986900 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>>> default 21:31:43.184087 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>>> default 21:31:50.184833 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>>> default 21:31:57.186106 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>>> default 21:32:04.190366 -0400 trustd Timeout during GET http://fpkia.gsa.gov/FBCA/CAcertsIssuedToFBCA.p7c.
>>>> default 21:32:11.688503 -0400 trustd Timeout during GET http://fpkia.gsa.gov/CommonPolicy/CommonPolicyRoot.p7c.
>>>
>>> I’ve tried turning OCSP and CRL “Off” in Keychain Access, but am still getting these symptoms.
>>>
>>> Is anyone else seeing either of these issues on their systems, and/or does anyone have insight into possible solutions?
>>>
>>> Regards,
>>> Zach Heaton
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden