[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Secure repository access (https) plus Windows Seven CRL plus proxy equals slow authentication!

From: Davi Anabuki <listas_at_anabuki.com.br>
Date: Thu, 29 Sep 2011 12:55:25 -0300

Hi Stefan!

I really agree with you, on the sense that the CRL must be checked
periodically...
Though I would prefer that Windows would download it as a Windows Update...
I would
never really know what was happening if it wasn't for a helpful post on this
list...

But, I would be really thankful if you could clarify a small doubt...
Usually, with ssl conections in Firefox, it would say that a self-signed
certificate
is invalid, and it would present me with the option of either refusing or
accepting
the certificate. Once accepted, it would only ask me again, if the
certificate expired...
So, with Windows, it tries to download the CRL every time a ssl connection
is made?
By the way that Tortoise behaves, I am inclined to believe that it tries to
download
the CRL with every connection that it makes... Would you know if there is a
way
to configure the options for the CRL download? Do you know if Windows
presents any
way to show advanced configurations?

The point is, being behind a firewall, Windows is unable to download the
CRL...
I would need to setup Windows in a way that it would connect through our
proxy,
or at least manually download its CRL... Though I am in a pinch, not even
knowing
if there is a way to configure Windows CRL handling... =/

Thanks in advance for any help... =)
Davi Anabuki.

2011/9/29 Stefan Küng <tortoisesvn_at_gmail.com>

> On Wed, Sep 28, 2011 at 22:19, Davi Anabuki <listas_at_anabuki.com.br> wrote:
> > Hi!
> >
> > I had quite a lot of trouble identifying a problem that I had with
> > TortoiseSVN...
> > Basically, if I accessed the repository using HTTTP, it would work ok...
> > However, at the moment that I switched to HTTPS, Tortoise would take
> > up to 20 seconds before executing any operation (update, commit,
> > show log...).
> >
> > After a long struggle, I found out that the problem is because Windows
> > Seven, whenever the user tries to connect with https, tries to connect
> > to WindowsUpdate's server, trying to download a new CRL (Certificate
> > Revogation List)... However, I am working behind a proxy, and the
> > request had to timeout, before Tortoise began to work... So, every
> > action would imply in a 15-20 seconds delay!
> >
> > If I disable the CRL update (via Windows Group Policy), everything will
> > work just fine... However, if any application actually needs to download
> > the CRL, it won't download...
> >
> > My question is if this happens by design, or if this should not happen...
> > And, also, if there is a different way to stop Tortoise's check for new
> > CRL's (all repositorys' server certificates that we use are
> self-generated,
> > so there is no need for this check, anyway...)
>
>
> This happens of course by design. Not checking the CRL would be a
> security vulnerability.
> Pre-Win7 the CRL was stored and checked locally and had to be updated
> manually. Win7 and later however use a CRL from MS that's
> automatically downloaded and updated. Whenever an new certificate is
> encountered, the CRL is checked immediately. For existing
> certificates, the CRL is checked periodically. But of course if you
> never checked the CRL, it will try every time.
>
> So if you prevent Win7 from accessing the CRL, you have to configure
> it from trying it.
> That's how you have to do it. No way around it.
>
> And yes: that's by design. If you want to reduce security, you should
> have to do some work and it shouldn't be easy to do.
>
> Stefan
>
> --
> ___
> oo // \\ "De Chelonian Mobile"
> (_,\/ \_/ \ TortoiseSVN
> \ \_/_\_/> The coolest Interface to (Sub)Version Control
> /_/ \_\ http://tortoisesvn.net
>
> ------------------------------------------------------
>
> http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2847787
>
> To unsubscribe from this discussion, e-mail: [
> users-unsubscribe_at_tortoisesvn.tigris.org].
>

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2847894

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-09-29 17:55:31 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.