We've seen in bug 1555306 that sometimes OCSP (and other?) requests can take much longer than anticipated on low-end/reference HW, up to 900ms.

It appears from the profile http://bit.ly/2KgksLY that Socket Thread, SSL Cert #2 (requesting the OCSP), SSL Cert #5 and SSL Cert #6 are all fighting over find_objects() and the sqlite cert database, presumably greatly slowing down actually sending the OCSP request.

The thing is that we do I/O - sqlite read - under (probably) this lock: devtoken.c - mozsearch.

These seem to be largely due to calling CERT_CreateSubjectCertList and CERT_NewTempCertificate. In bug 1552262 I'm working on something that, in combination with intermediate preloading (bug 1535662), should allow us to avoid calling CERT_CreateSubjectCertList during certificate verification in the common case (verifying a certificate from the web PKI). Avoiding calling CERT_NewTempCertificate is a lot more work, but would also be beneficial for a number of reasons, including hopefully making bug 1513458 much less frequent. In short, I don't think there's a simple fix here, but there are steps we can take to decrease this contention.

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

bug 1555306 should take care of this.