Pale Moon 28 & SEC_ERROR_OCSP_SERVER_ERROR on Restart w/session load. Topic is solved

[kelendral]

Pale Moon 28 and SEC_ERROR_OCSP_SERVER_ERROR on Restart and session load.
Pale Moon 28.0.1 64bit on Windows 64bit

Ok, I've been having an issue when restarting Pale Moon 28 if the Session that was last used had an SSL page as the selected tab.
I've narrowed down 2 causes:
1) Excessive amount of tabs that cause startup to take time
2) FEBE Backup pending, and accepting to do backup once restart pops the window, thus impacting start-up speed.

Addon Possibly Related to Issue:
Session Manager 0.8.1.13
FEBE 10.3

The error is below:

Secure Connection Failed

An error occurred during a connection to forum.palemoon.org.

The OCSP server experienced an internal error.

(Error code: SEC_ERROR_OCSP_SERVER_ERROR)

It is not a major issue, but more of a nuisance issue. At any time the issue is occurring I can use other browsers to access the impacted sites/domains. The problem will clear itself if I don't try to connect to any SSL sites for about 2-5 minutes after the issue has occurred (can be fixed immediately by using the avoidance method below). If I attempt connecting to SSL sites by selecting other tabs it takes longer to clear.
The issue can be fully avoided by selecting any Non-SSL (ex: http://www.classicshell.net) or About:<something> (ex: about:blank) tab before restarting and waiting for the browser to completely load before clicking any SSL tabs.

It appears that a delay or slowness during startup is causing the issue.
This seems to be affirmed by commentary on https://bugzilla.mozilla.org/show_bug.cgi?id=1014979

The workarounds listed there also appear to work here (as noted above, one must select a non-ssl tab).

Workaround #1: Restart Firefox. This flushes the OCSP cache.

Workaround #2: Flush OCSP cache by turning off "hard fail" OCSP (making sure to exit Firefox Options), and then turning "hard fail" OCSP back on.

I'm just noting the issue because I never had it prior to 28.

[Moonchild]

Setting OCSP to hard-fail isn't a supported configuration of the browser. The problem you have it that restoring many tabs can exhaust the connection pool, which leaves no connections for OCSP requests. Normally, that is in the supported configuration, this would fall back to other authentication methods. Once it fails, the OCSP failure will be cached.
As a workaround, the browser can be restarted, which clears the OCSP cache (note that the OCSP cache is not the same as the HTTP cache).

[therube]

1) How many tabs?

And you are restoring them how? All at once? Three at a time? Only on demand?
How many windows?

Are you using non-default OCSP settings (Preferences)?

[kelendral]

Far too many, well beyond normal, average, or even high usage users.
I've stated multiple times I use my browser as a research system with often between 400-600 tabs between 1 and 3 windows on a single profile. That is why I test for 1000 tabs (like I mentioned in a Basilisk thread).
It is also the reason I was not overly concerned with the issue. As I am as far as I understand an extreme edge case (some might say nut case).
It is also the reason Pale Moon is the only current browser I can use (any others I would have to run multiple windows under multiple profiles).

Session Manager - loads them all as pending except the one active tab.

As Moonchild pointed out my setting is non-standard and unsupported for the OCSP by enabling that checkbox. Hence I've marked that as the answer.

I wasn't so much looking for support as reporting the difference in behavior of 27 versus 28.
I've got workarounds (restarting only when non-SSL selected, or if I forget and don't want to wait the 5 minutes, hitting Preference > Advanced > Certificates and toggle the setting off hit OK then do the same and turn it back on).

[therube]

Session Manager - loads them all as pending except the one active tab.

So typically, on browser startup, only 3 pages load fully, even though 1000s are in your session history?

Does it matter what those 3 pages are?
As in if you open https://www.google.com/ in the 3 windows & quit PM, saving the session (1003 tabs, but google being the focused page in each window), on restart, you'll still get this error?

[kelendral]

Yes, you have that right.

The high numbers of tabs is a definite cause. Testing sessions in a single window of various counts happens at about 400.
Below 350 I did not get the issue unless I also failed to let FEBE backup run, and it tried to combine that backup with the startup (as in I said OK backup now when the prompt appeared on startup).

It is minor overall, and after reading up a bit I've switched that setting back to unchecked and left it. Thus problem solved by bringing my settings back inline with defaults for OCSP (Unchecked: When an OCSP server connection fails, treat the certificate as invalid).

[Moonchild]

Please note that using hundreds or thousands of tabs is outside of the browser's design scope. Issues may arise if you use huge numbers of tabs.

[kelendral]

Absolutely understood (as I said some might call me a nut case, not just edge case). The only other browser I know that even reliably loads the size sessions I deal with is Basilisk (just takes a bit longer). That is an amazing set of accomplishments.

As such I profusely thank you and the rest of the team for Pale Moon for making a browser for the quality of work you all do. My life and my job would be magnitudes more difficult if not for the awesome performance and reliability of Pale Moon. I remember years ago when I left FF for Pale Moon it was not unusual to have FF crash 20 or more times in a day. By contrast, Pale Moon handles my usage with ease, speed, and reliability (there have been times the browser hasn't been restarted in several days).

Thank you all once again from a fan of your work.

[kelendral]

FWIW: I know it is unsupported and I plan to change it back to unchecked but I had to try given the release notes for 28.1.0 about faster startup and tab restore.

Enabled (Checked: When an OCSP server connection fails, treat the certificate as invalid).

Session with 633 tabs, no error. Tried many times and I'm unable to reproduce.
Restore isn't just faster, it is WAY faster. The whole session, including re-aligning the tabs in tab bar, indenting, restoring their tab kit grouping and coloring was done in under 30 seconds.

Awesome job!

OK, now back to (Unchecked: When an OCSP server connection fails, treat the certificate as invalid) to go back to a more supported configuration.

[Moonchild]

Session with 633 tabs, no error. Tried many times and I'm unable to reproduce.
Restore isn't just faster, it is WAY faster. The whole session, including re-aligning the tabs in tab bar, indenting, restoring their tab kit grouping and coloring was done in under 30 seconds.

Awesome job!

Great to hear that our work on performance issues is paying off on such a heavy profile!