Turning on OCSP by default is bug 110161.
The lack of an OCSP cache is one issue. A harder issue is that NSPR's
nonblocking model is not capable of passing the information needed to do
nonblocking OCSP queries during an SSL handshake.
When I last tried turning OCSP on, Verisign had screwed up OCSP
responders. Their responders would fail to respond to the OCSP queries
sent by NSS. As a result, if you enabled OCSP in Mozilla, every time
you did a handshake with a server using a Verisign cert, Mozilla would
hang for 30 seconds, timing out on the OCSP responder.
Now, Verisign has probably since fixed their OCSP responders. But the
problem is that if an OCSP responder is horked, that can easily cause
Mozilla to hang for 30 seconds. This is not a "web site takes a long
time to respond" hang, this is a "mozilla becomes completely
nonresponsive" hang. And the limitations in NSPR's IO layering APIs
make this extremely difficult to fix.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
- On turning CRL and OCSP checking on by default. Nelson B
- Re: On turning CRL and OCSP checking on by defau... Duane
- Re: On turning CRL and OCSP checking on by d... Nelson Bolyard
- RE: On turning CRL and OCSP checking on by defau... John Gardiner Myers
- RE: On turning CRL and OCSP checking on by defau... Deacon, Alex
- Re: On turning CRL and OCSP checking on by defau... Julien Pierre
- Re: On turning CRL and OCSP checking on by d... Duane
- Re: On turning CRL and OCSP checking on by d... Jean-Marc Desperrier
- RE: On turning CRL and OCSP checking on by defau... Deacon, Alex
- RE: On turning CRL and OCSP checking on by defau... Deacon, Alex
- Re: On turning CRL and OCSP checking on by defau... Julien Pierre
- Re: On turning CRL and OCSP checking on by d... Jean-Marc Desperrier
- Re: On turning CRL and OCSP checking on ... Nelson B
- Re: On turning CRL and OCSP checking... Jean-Marc Desperrier
