Chrome SSL + AJAX problem

 web  No Responses »
Oct 012011
 

I have a web application running of https://mydomain.com , which then issue ajax calls. Recently, some of my useres, complains that AJAX calls timeout/fail from time to time, despite the main UI loads fine.

I looked at the server log, and ask user to try again, then I found those calls never reach server!

Luckily I am able to remote re-produce the problem on user’s machine, I opened chrome’s developer console, and found this:

XXX mydomain.com/api GET (cancel) text/plain 30B 0B 0ms 0ms 0ms

Why are my calls canceled? In this case, my callback get a status_code = 0. Okay, then I think I should trace this call.

I open a new tab with chrome://net-internals, navigate to Events Tab. Filter it by “mydomain.com”, There’s a few red entries, indicating problems.

One of the entry shows

ssl/mydomain.com:443

Start Time: Sun Oct 02 2011 00:46:24 GMT-0700 (Pacific Daylight Time)

t=1317541584591 [st= 0] +SOCKET_POOL_CONNECT_JOB             [dt=10]
t=1317541584591 [st= 0]    +SOCKET_POOL_CONNECT_JOB_CONNECT  [dt=10]
                            --> group_name = "ssl/mydomain.com:443"
t=1317541584591 [st= 0]        HOST_RESOLVER_IMPL            [dt= 1]
t=1317541794095 [st=  0]       +SOCKET_POOL                   [dt= 22]
t=1317541794117 [st= 22]           SOCKET_POOL_BOUND_TO_CONNECT_JOB  
                                   --> source_dependency = {"id":1485081,"type":4}
t=1317541794117 [st= 22]           SOCKET_POOL_BOUND_TO_SOCKET  
                                   --> source_dependency = {"id":1485083,"type":5}
t=1317541794117 [st= 22]       -SOCKET_POOL                   
t=1317541794216 [st=121]        CONNECT_JOB_SET_SOCKET        
                                --> source_dependency = {"id":1485083,"type":5}
t=1317541794216 [st=121]    -SOCKET_POOL_CONNECT_JOB_CONNECT  
                             --> net_error = -200 (CERT_UNABLE_TO_CHECK_REVOCATION)
t=1317541794216 [st=121] -SOCKET_POOL_CONNECT_JOB

Wait, what? Then I open my website directly in the tab, click on the padlock icon, open up the certifacte and found the CRL service from godaddy. Then I tried to fetch that in the chrome, no wonder! It stalls!

Okay, now it is clear, Chrome won’t fire my request because it is not able to check the CRL on my certificate, it is probably for security reason, but that is a very hard dependency on godaddy CRL service being up, what can I do about that?!

If you meet the same problem, please star/comment on http://code.google.com/p/chromium/issues/detail?id=98794