On Fri, Feb 7, 2014 at 11:13 AM, David Keeler <dkee...@mozilla.com> wrote: > On 02/07/14 10:31, ISHIKAWA, Chiaki wrote: >> Message: >> [10549] WARNING: Security network blocking I/O on Main Thread: file >> /REF-COMM-CENTRAL/comm-central/mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp, >> line 422
David's explanation is mostly correct for Firefox (but see below). However, for Thunderbird that warning occurs because Thunderbird is blocking the main thread waiting for network I/O (and disk I/O). Thunderbird should be fixed so that it stops doing network I/O on the main thread. Then this warning will go away. > AddonUpdateChecker.jsm calls CertUtils.checkCert, which traverses the > peer's certificate chain (in an inefficient way, but that's beside the > point). Getting a certificate's chain causes a verification to happen, > which often results in network IO. This is in part due to the legacy > certificate verification library we're currently hard at work replacing. Even after insanity::pkix lands, it won't be OK to do certificate verification on the main thread because OCSP requests would result in the main thread blocking on network I/O. There is a bug tracking the removal of main-thread certificate verification: https://bugzilla.mozilla.org/show_bug.cgi?id=775698. Cheers, Brian On Fri, Feb 7, 2014 at 11:13 AM, David Keeler <dkee...@mozilla.com> wrote: > On 02/07/14 10:31, ISHIKAWA, Chiaki wrote: >> Message: >> [10549] WARNING: Security network blocking I/O on Main Thread: file >> /REF-COMM-CENTRAL/comm-central/mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp, >> line 422 > > This generally happens when javascript calls a function on an > nsIX509Cert that attempts to verify it synchronously. If the certificate > has an OCSP uri, network IO will block the main thread. For instance, > AddonUpdateChecker.jsm calls CertUtils.checkCert, which traverses the > peer's certificate chain (in an inefficient way, but that's beside the > point). Getting a certificate's chain causes a verification to happen, > which often results in network IO. This is in part due to the legacy > certificate verification library we're currently hard at work replacing. > In short, this is not legitimate main thread IO, but it's being fixed. > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
