[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Secure repository access (https) plus Windows Seven CRL plus proxy equals slow authentication!

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Thu, 29 Sep 2011 18:34:25 +0200

On 29.09.2011 17:55, Davi Anabuki wrote:
> Hi Stefan!
>
> I really agree with you, on the sense that the CRL must be checked
> periodically...
> Though I would prefer that Windows would download it as a Windows
> Update... I would
> never really know what was happening if it wasn't for a helpful post on
> this list...
>
> But, I would be really thankful if you could clarify a small doubt...
> Usually, with ssl conections in Firefox, it would say that a self-signed
> certificate
> is invalid, and it would present me with the option of either refusing
> or accepting
> the certificate. Once accepted, it would only ask me again, if the
> certificate expired...
> So, with Windows, it tries to download the CRL every time a ssl
> connection is made?

That's not the same thing: if a cert is self signed, TSVN will ask you
to accept it as well and not ask again if you accept it permanently.

The CRL is something different: that list contains blocked certificates
(if you read the news lately, you'll know that there were hacked certs
used for google.com and others, which were then added to the CRL even
though the certificates were valid).
So if you do not have a local CRL installed, Windows will try to fetch a
CRL for every connection until it has such a list locally.

"CRL Retrieval Timeout Thresholds

If the client is able to resolve the hostname in the URL reference but
no CRL is physically available, the client will attempt to download the
CRL for the default threshold of 10 seconds. Windows 2000 with MS04-11,
Windows XP, and Windows Server 2003 provide programmatic enhancements in
reducing the timeout threshold as well as CRL unavailability detection.

The first CDP location is given a maximum of 10 seconds to succeed.
Subsequent CDP locations each will use a maximum of one half of the
remaining time to retrieve a specific CRL object before continuing to
the next location. Each location download is attempted in sequential
order. If CryptoAPI is unable to retrieve a CRL for any reason during
the allotted maximum timeout interval, such as invalid path or access
denied, an error of “revocation offline” will be returned to the
application."

> By the way that Tortoise behaves, I am inclined to believe that it tries
> to download
> the CRL with every connection that it makes... Would you know if there
> is a way
> to configure the options for the CRL download? Do you know if Windows
> presents any
> way to show advanced configurations?
>
> The point is, being behind a firewall, Windows is unable to download the
> CRL...
> I would need to setup Windows in a way that it would connect through our
> proxy,
> or at least manually download its CRL... Though I am in a pinch, not
> even knowing
> if there is a way to configure Windows CRL handling... =/

you can search the web for "CAPI certificate revocation list check".

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2847909
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-09-29 18:34:40 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.