PfSense GUI unresponsive for 10 sec on each and every new page



  • Hello!

    I have one computer (Win 7 64bit) that becomes unresponsive for 10 sec since last week whenever I try to reach one of the pfSense GUIs from Firefox 32.0.3 (was it after the update to the latest version? maybe…). Not with Internet Exploder, not from Linux using Firefox on the same machine (dual boot). Not with any other page on the internet or LAN.

    There was something really strange with this very computer/firefox last week: I updated one box by inserting a new (really NEW) CF-card with 2.1.5 nano 32 4GB on it and on the first boot I had the trouble with the GOLD menu, but only FOR THIS SINGLE BOX, while I had in another firefox tab the GUI of another pfSense box that had no GOLD menu issue. VERY STRANGE...

    I started a wireshark (from the moment I hit ENTER in firefox to reach the pfSense at 10.0.0.1 to the moment the login window of the GUI comes up, i took about 10 sec.), but it tells me nothing.

    Worst thing: the 10 sec hang you see between each and every screen on pfSense (i.e. if you open up something from the menu, etc. pp.) so you can not use the computer to manage pfSenses...

    PS: There is a Win7 64 with the same firefox, same plugins (even same versions of plugins) directly besides this computer, and this one has no problem at all.



  • I have seen problems with Firefox taking long periods of time to validate certificates when connecting to the pfSense web GUI in the past.

    When I dug into it more, I examined the certificate store of Firefox and found that I had many CA (Certificate Authority) certificates stored under the same generic name that gets used for the web GUI certificate because I had connected to many different pfSense boxes and stored the CA's to be permanently trusted. It seems that at some point you start to hit a resource limit when you have too many of them stored. I tried deleting out all of them and after that the web GUI loaded much faster.

    It might not be the same problem you are having, but it could be worth checking into as some of the symptoms sound similar. You can check it by going to the Preferences. Under the Advanced section, go to the Certificates tab and click on the View Certificates button. A Certificate Manager window should pop up. Select the Authorities tab, scroll down and look for the heading "CompanyName" (should appear right after Comodo CA Limited). If there are lots of entries for "Common Name (eg YOUR name)" under "CompanyName", try deleting a bunch of them.



  • YEAH, that did the trick! Back to normal! But strangely, although I deleted ALL the CAs, firefox does not distrust the site when I navigate to the login page… some kind of cache involved, I guess?



  • I had been having Firefox (32.0.3) take about 15–20 seconds to display the login page, using all the CPU available while it was waiting to open. Then with the dashboard displayed, Firefox would send the CPU running 100% every few minutes, and the burst of activity would last 1 or 2 minutes. It made anything inn Firefox as good as unusable for that time.
    Opera and Google Chrome did not show the same problem.
    I knew the problem had been there a couple of weeks. Went back to Firefox 24, then 28, 29 and 30 - no problem in any of those;
    Installed Firefox 31 - the symptoms appear. Tried 32, 33 (beta) aand 34 (aurora) - they alll have these symptoms.
    Then I looked in the forum and saw this post - deleted the "CompanyName" certificates as described above. Now all seems well.
    As chemlud reports, no certificate comes back under tthis name. I looked through the list of certificates and there did not seem to be any new one added. And Firefox did not give me the warning about the site not being trusted.



  • A few more links that support the idea that this problem is related to Firefox 31 and certificates for sites (like private pfSense) that do not validate on the public internet:
    Exciting Updates to Certificate Verification in Gecko https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
    Google groups discussion: https://groups.google.com/forum/#!msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwU
    Mozilla bug (not exactly the symptoms we have here, but an example where accessing a private device has gone wrong): https://bugzilla.mozilla.org/show_bug.cgi?id=1044441



  • I had comparable symptoms (hanging on login) with a Firefox ESR 31.1.0 (opensuse 12.3 64bit), but both machines didn't go to 100% CPU (iirc, other applications worked fine and the machines are in general slightly overpowered). Deleted CompanyName CAs and the machine went back to normal, but again without distrusting the pfSense certificates.