Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

"Check publisher's certificate revocation" - is this slowing down our Managed Code Applications ?

Posted on 2007-07-25
11
Medium Priority
?
7,193 Views
Last Modified: 2013-11-07
If the text of this article is true:

       http://blogs.msdn.com/euanga/archive/2006/07/11/662053.aspx

then every time our .NET applications are started up by an end user, Microsoft Windows does a "Phone Home" to check if we are trusted code publishers or not ? Firstly I find this outrageous from a privacy point of view, and secondly, its slowing down our code at startup...

I first found this blog a while back when Sql server Management Studio was slow to start up, and sure enough applying the Internet Explorer options change speeded up the startup time considerably.

I was just testing my rather large and complex ASP.NET + VB.NET application on two servers, one a VM and one not, and found that the application was considerably slower at startup than my development machine. Now I just applied the same "Check publisher's certificate revocation" change to these machines and the application does seem considerably faster.

So, does anyone have a deeper understanding of this "phone home" - does it always happen ?? , and is there a way to stop it happening for a particular application without changing the "Check publisher's certificate revocation" flag in IE7 which obviously affects the whole computer.

thanks
0
Comment
Question by:plq
  • 6
  • 4
11 Comments
 
LVL 14

Expert Comment

by:NBSO_ISS
ID: 19564458
This is not exactly what is happenning.  Here is some info on certificate revocation.  

http://amug.org/~glguerin/opinion/revocation.html

The CRL (Certificate Revocation List) is being checked in order to ensure that all of the assemblies are signed with a valid Microsoft cert.  It may be a proxy setting that is causing this process to timeout and therefore slowing the code.  I will look into this further.
0
 
LVL 14

Expert Comment

by:NBSO_ISS
ID: 19564521
Here is what I found so far

One issue that can cause this problem is that if the server does not have
access to the internet, then the .NET framework can't access the
crl.microsoft.com website to verify that the digital signatures used to
sign the binaries for managed applications are valid. Each certificate
check has a 15 second timeout in the .NET runtime implementation.
Depending on what features are installed, this can add up to a minute of
start up time for Management Studio.

There are a couple workarounds:

1) Configure a proxy server to allow access to http://crl.microsoft.com 
from your server
2) Configure your firewall to return a failure status quickly when it
blocks access to the http://crl.microsoft.com website
3) Disable checks for certificate revocation. You can do this using
Internet Explorer by opening the Interet Options dialog, going to the
Advanced Page, and then unchecking the "Check for publisher's certificate
revocation" checkbox. There are fraudulently signed binaries in the wild
that can make virus-infected applications look like they were published by
Microsoft. Disabling this check should probably not be done on machines
with internet access.

by Wei Lu (
http://www.developersdex.com/sql/message.asp?p=1926&ID=%3Cbi6a83lj26d12l9l6arcu2kkg6dca8pj8k%404ax.com%3E)

I would not recommend the third solution (this can cause BIG problems and allow users to access invalid controls/sites that could contain malicious code)
0
 
LVL 8

Author Comment

by:plq
ID: 19564615
thanks for this

These machines are straight through a cisco 501 to an 8MB broadband connection. So I would be surprise if the crl http call was being blocked unless the isp is blocking it. Since its broadband and not dedicated line the upload speeds will be slower, prob 256k upload, since I can ftp out at about 29kbytes/s.

I certainly experienced SSMS (sql mgt studio) startup times of around 30 seconds before unticking that IE option, as opposed to 6 seconds with it unticked.

So I also wonder just how many queries its sending up there ? Perhaps one for each managed code DLL ?

I am going to read up on your suggestions some more later, but would welcome any other opinions in the meantime..
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 14

Expert Comment

by:NBSO_ISS
ID: 19568714
It might not hurt to run a network analyser on your server to further debug the problem...

http://www.ethereal.com/download.html
0
 
LVL 8

Author Comment

by:plq
ID: 19575970
OK suggestion 3. above was what I was doing to speed it up in the first place.

Suggestions 1 and 2 cannot be applied into each corporate environment in which our software was installed. Really I am looking for a way of trusting our applications so that the phone home is not done when the app starts up.

0
 
LVL 14

Expert Comment

by:NBSO_ISS
ID: 19576147
Are you digitally signing your .NET assemblies?
0
 
LVL 8

Author Comment

by:plq
ID: 19576436
No !! Should I ? I mean would that stop the phone home ? If so, why does sql server management studio phone home ?
0
 
LVL 14

Expert Comment

by:NBSO_ISS
ID: 19576456
No.  One suggestion I found was to not digitally sign your assemblies, I will keep looking for a better solution than #3.
0
 
LVL 14

Accepted Solution

by:
NBSO_ISS earned 2000 total points
ID: 19576822
What .dll's are you using in your application?

I have read that some companies will provide unsigned .dll's to prevent the crl lookup.  It is the Authenticode digital signatures that are causing the problem.
0
 
LVL 8

Author Comment

by:plq
ID: 19576852
1. Telerik Radchart latest version
2. Data Dynamics ActiveReports v3
3. Crystal Reports default dlls you get with .net

[back tomorrow] - maybe I will contact those first two vendors and see if they can give me unsigned dlls if they are signed..

thanks
0
 

Expert Comment

by:KoenHeyns
ID: 21675456
Adding
127.0.0.1 crl.microsoft.com
in the HOSTS file on your webserver gives you a 5 to 10 second gain in performance if you are running non-mocrisoft .NET applications like Infragistics or DNN
For every non microsoft dll your webserver tries to reach crl.microsoft.com outside but can't in a safe datacenter setup. The time out for the check is 5 seconds per certificate...
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Loops Section Overview
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question