The server I'm connecting to has recently changed the SSL certificate. Since the change, SSL authentication takes more than ten seconds to complete the download of the certificate revocation list.
I use RemoteCertificateChainCallback to verify the certificate, however, a delay occurs BEFORE the callback is called, so this is not creating a certificate chain or any other action that causes a delay
The problem arises only when the CRL is not CACHED, that is, I need to delete the CRL cache (Documents & settings / [user] AppData / Microsoft / CertificateUrlCache or something like that) to replay it more than once in one day.
If I turn off CRL checking in an AuthenticateAsClient () call, authentication is fast.
Using a network sniffer, I see that when the CRL is eventually requested, it loads almost instantly, so the delay is not a network delay (at least not for the CRL server).
One strange thing that I see with the network sniffer is that after the initial receipt of the SSL certificate from the server, there is a delay of five seconds before the CRL ** is downloaded.
Does anyone have any suggestions as to what might happen at this stage and what might be caused by the delay?
Thanks!
UPDATE: Well, I used a reflector and a memory profiler to delve into. AuthenticateAsClient. It seems that most of the time is spent creating a chain of certificates , that is:
if (!CAPISafe.CertGetCertificateChain(hChainEngine, pCertContext, ref pTime, invalidHandle, ref cert_chain_para, dwFlags, IntPtr.Zero, ref ppChainContext))
If I do not request a CRL check, it returns almost instantly, with CRL check enabled, about 4 seconds.
I suspect I will see the same delay if I manually try to chain in my RemoteCertificateValidationCallback.
This would not be a problem if the CRL were cached, however this caching does not seem to work on the Windows7 client. What for?? Well, I think the next task ...
Can someone explain what chain construction can take so long?