When testing website performance with webpagetest.org, eventually some tests contain requests that I did not expect, as they have not been initiated by anything in my code (HTML, CSS, JavaScript). Even more surprisingly, the requesting user agent does not match the browser being used.
Example: https://www.webpagetest.org/result/170425_AH_NP7/1/details/#waterfall_view_step1
Although I run a test with Google Chrome, the second request is done by User-Agent: Microsoft-CryptoAPI/6.1 to Host: gm.symcd.com
Re-running the same tests usually results in a run without any of those requests.
This happens on www.webpagetest.org as well as on our company's local WPT installation on a windows host.
The User-Agent first made me suspect Windows Update Agent as a source, but the host gm.symcd.com seems to belong to Symantec.
Has anyone experienced the same behaviour? What is the best way to do to prevent these unexpected requests?
Those, seemingly random, requests are OSCP lookups (RFC 2560: Online Certificate Status Protocol) to ensure SSL certificates are still valid and have not been revoked.
OSCP lookups by the client are only necessary unless the server does OSCP Stapling (RFC 6961: Multiple Certificate Status Request Extension), which means it provides a signed authoritative OSCP response alongside the SSL certificate chain.
So, as Patrick Meenan pointed out, "the performance fix to make them not happen is to enable OCSP Stapling on the web server."
If the server does not staple the OSCP data, the client should make an OSCP request, unless it already has a valid cached response from a recent OSCP request. On a Windows client, the OSCP request will submitted via the operating system's CryptoAPI unless there is already a valid cached response.
To ensure repeatable web page test results, tests should require the certificate cache to be empty at the start of a test, which on webpagetest.org is configured in Advanced Settings -> Advanced -> "Clear SSL Certificate Caches".