[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Secure repository access (https) plus Windows Seven CRL plus proxy equals slow authentication!

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Thu, 29 Sep 2011 15:19:46 +0200

On Wed, Sep 28, 2011 at 22:19, Davi Anabuki <listas_at_anabuki.com.br> wrote:
> Hi!
>
> I had quite a lot of trouble identifying a problem that I had with
> TortoiseSVN...
> Basically, if I accessed the repository using HTTTP, it would work ok...
> However, at the moment that I switched to HTTPS, Tortoise would take
> up to 20 seconds before executing any operation (update, commit,
> show log...).
>
> After a long struggle, I found out that the problem is because Windows
> Seven, whenever the user tries to connect with https, tries to connect
> to WindowsUpdate's server, trying to download a new CRL (Certificate
> Revogation List)... However, I am working behind a proxy, and the
> request had to timeout, before Tortoise began to work... So, every
> action would imply in a 15-20 seconds delay!
>
> If I disable the CRL update (via Windows Group Policy), everything will
> work just fine... However, if any application actually needs to download
> the CRL, it won't download...
>
> My question is if this happens by design, or if this should not happen...
> And, also, if there is a different way to stop Tortoise's check for new
> CRL's (all repositorys' server certificates that we use are self-generated,
> so there is no need for this check, anyway...)

This happens of course by design. Not checking the CRL would be a
security vulnerability.
Pre-Win7 the CRL was stored and checked locally and had to be updated
manually. Win7 and later however use a CRL from MS that's
automatically downloaded and updated. Whenever an new certificate is
encountered, the CRL is checked immediately. For existing
certificates, the CRL is checked periodically. But of course if you
never checked the CRL, it will try every time.

So if you prevent Win7 from accessing the CRL, you have to configure
it from trying it.
That's how you have to do it. No way around it.

And yes: that's by design. If you want to reduce security, you should
have to do some work and it shouldn't be easy to do.

Stefan

-- 
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2847787
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-09-29 15:22:24 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.