As you might know my day job is about embedded Linux devices and as for all modern network connected devices you want TLS encrypted connections to those – which leads to all kinds of problems, especially with certificates. What we do here: let each devices create its own self signed certificate and teach the users to ignore the warnings in the webbrowsers.1
So almost all of our devices share the same CommonName (CN) and Issuer, and when developing I connect to numerous of them over time. So far no big deal, however Mozilla Firefox does not like all those similar but not equal certificates. It gets slow over time, really slow, so slow connections to the devices run into timeouts. Other sites are not affected however.
My colleague ran into this last year, my browser was not affected until today. What he did: start over with a new user profile in Firefox. Works, but all your addons and customizations are gone. You could of course also use another browser. Well, I did not want that, so I searched the web for a cause or even a solution.
I found that blog post Troubleshoot Firefox’s “Performing TLS Handshake” Message and it gave me a hint for a working workaround. What I did, deleted those two files from my profile (while Firefox was not running):
- cert8.db
- cert9.db
That did it, connections to my devices are nice and fast again. Have to search for the bugreport at the Mozilla Firefox project next …
Update: I tried to find some matching bug reports, and found some.
- 1056341 – mozilla::pkix spends too much time attempting to build a valid path when there are many possible paths
- 1474963 – Firefox stalls after TLS handshake on self signed certificate – bug 1056341 not corrected
- Yes, we are aware of the problems, it’s complicated … [↩]