IE going very slow if the certificate isn't valid.

[Guest]

I just started having a strange problem with IE 6. I have an apache server
on my local network running SSL. When I use IE to connect to the secure port
a message pops up saying the certificate isn't valid. (as expected) I say
continue and keep going.

The problem is if the XP box has the internet dialed up at the same time,
things are VERY slow (like minutes for the dialog box asking if I want to
accept the certificate)...

I went ahead an imported the CA that I used to sign the certificate into IE,
and now everything works at normal speed. (no pop up box either, as expected)

The problem is I don't want to have to import a CA for every computer that
uses this service. I just want the user to accept the certificate and
continue. That is the way it was working up until today. Nothing on my
server has changed. So the only thing I can think of is that IE was updated
in the last day or so from a windows update, and maybe something got applied
in there.

I also have an application that uses the httpWebRequest function, along with
a ServicePointManager.CertificatePolicy to ignore certificate issues (not
signed by a known CA)... it also is impacted by this. It runs fine as long
as the XP box isn't connected to the internet, it is able to talk to the
Apache web server though SSL just fine. If I bring up the internet on the XP
box, it starts timing out because the connection is so slow.

Any help would be appreciated.

Thanks,
David Galbraith
dgalb at swcp dot com

 

[Jon Kennedy]

Having this setting in Internet Options...Advanced...Security checked is
notorious for slowing things down in this area: "Check for server
certificate revocation (requires restart)"

 

[Guest]

Checked that, and it isn't the problem. The big key to me is that the
application I have written and have been using for a month or so, stopped
being able to get to the server, and it uses a Certificate Policy to override
any Certificate issues.. so it shouldn't care at all about what IE says in
regard to certificates (I assume it still uses the IE engine to pull the data
down, but IE is suppose to use the certificate policy I created and ignore
the certificate problems)

That program was working until yesterday. I can only guess that something
got updated on my XP box, or ... I managed to get some sort of spy-ware or
what not installed. I'm going to search for that next.

Another thing of note, the XP box shares the internet connection, so maybe
its a strange interaction with that. Its almost like it is trying to send
the data out the dialup internet connection and then sends it to the local
network... I'm thinking of taking my XP box to another location that has a
full time internet connection and seeing if it still has the problem.

I'll keep ya'll posted on the results.

-d.

 

[Jon Kennedy]

When you mentioned "another thing...", I was reminded of this issue:
http://inetexplorer.mvps.org/answers2.htm#connection_freeze

 

[Guest]

I know this is an old posting, but i'm following up on it so maybe it can
help somebody else who runs into this problem.

The problem went away, then came back then went away, then came back.. I
could find no "reason" for it... until I started thinking, that timeout looks
like a DNS timeout... so I started digging... Had to put a sniffer on the
network to find the problem...

Turns out here is the conditions that set the problem up:

1. You have a Router on your network that is the DHCP server but it doesn't
have a WAN connection (or the WAN is down). The router gives out its own IP
as the DHCP server to the DHCP clients. (windows box in particular)... Or
your DNS entries on your windows box are unreachable at the time.

2. You attempt to look at a website that has a certificate that isn't signed
by any "known CA".

What happens:

Windows tries to goto download.windowsupdate.microsoft.com, in particular it
tries to get the address of that. Since your DNS entry on the windows box
says goto the Router, it sends the request there. The router can't send it
anywhere (WAN is down or non-existant) so it "times-out".

Unfortunatly this timeout can take 10-15 seconds.

Why does windows try to do this? I'm guessing it wants to see if for some
reason there is a new list of CA's and the one that signed this auth is
valid...

Not that this will go anywhere, but I recommend that MS does not do this
check if the CA was signed by an named authority of 127.0.0.1 (which most
selfsigned certificates seem to default to)

This would stop the issue... Anyway.. I can find no fix for it, so I have
bumped the timeout on my software to deal with the issue...

Laters,
-d.
dgalb (at) swcp dot com.