?
Solved

WCF Certificates and CA Signed Certificate Processing Delays.

Posted on 2014-08-07
5
Medium Priority
?
349 Views
Last Modified: 2014-09-15
Hi all,

I am curious and maybe somebody can help shed some light or be able to make a suggestion.

I have a web service that does mutual authentication and it seems to take over a minute on a complete round trip.

We have tried with self-signed certificates and it's taking, at most, like 20 seconds for a complete round trip; I would say average is about 7 seconds.

Now, we utilize a CA signed certificate and the process jumps to over a minute round trip.  1:09 seconds average.

For CA's certificates we are putting them in the MY store (i.e. Personal Store) on a computer level. The CA that issued the certificate is in the trusted root.

Then right after it goes to a matter of seconds on each attempt. Then if you wait like 30 minutes and try again it will take over a minute.

What could cause such a dramatic delay and is there anything that can be done about it?  Especially for the first time in many minutes?


Any information would be greatly appreciated.
0
Comment
Question by:davism
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
Daniel Van Der Werken earned 1600 total points
ID: 40247799
Your certificate is probably setup to check against an external server.
http://technet.microsoft.com/en-us/library/cc776447(v=ws.10).aspx

Note:
When a third-party revocation provider supporting OCSP has been registered, an OCSP responder will be used for certificate status checking; in this case, the process is slightly modified.
Verify that the response indicates the certificate is valid. A valid response indicates that the certificate has not been revoked.

Verify the signature on the OCSP response. This activity includes developing and processing a path that establishes that the certificate issuer or a trust point trusted the responder for the express purpose of issuing responses.

Neither Windows XP nor Windows 2000 contains an OCSP client component by default. However, a third-party OCSP client can be installed as a revocation provider to CryptoAPI. OCSP responders can be located by using the AIA extension in the certificate as defined by RFC 2459. The Windows Server 2003 CA supports the OCSP responder location to be included in the AIA extension of certificates. Multiple revocation providers can be added to CryptoAPI depending on revocation requirements. For additional information about revocation providers, see the Platform SDK on MSDN.
No matter what process is used to verify certificate validity, if the status check fails any of the above checks for any certificate in the certificate chain, the certificate chain will be rejected.

As a result, it goes out on the wire to check every time it's used.
0
 
LVL 1

Author Comment

by:davism
ID: 40247813
Sorry, I should have clarified, this web service is being run on a Windows 2008 R2 Server under IIS 7.5.

That said would this still apply and is there any way of stopping the check? And it is a good idea to stop the check?
0
 
LVL 20

Expert Comment

by:Daniel Van Der Werken
ID: 40254675
I would think that stopping the check is a good idea. You would need to confirm that my supposition is in fact what's happening first. The server and version of IIS shouldn't matter.
0
 
LVL 1

Author Comment

by:davism
ID: 40254753
Help me understand. How is that a good idea to bypass the CRL check? Would one not want to know about a cert revocation?
0
 
LVL 1

Author Closing Comment

by:davism
ID: 40323394
The issue was related to the certificate revocation checking.

Thanks for the information and greatly appreciated.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While working on Silverlight and WCF application, I faced one issue where fault exception occurred at WCF operation contract is not getting propagated to Silverlight client. So after searching net I came to know that it was behavior by default for s…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Integration Management Part 2
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question