在 Windows 上禁用应用程序的证书吊销检查 [英] Disabling certificate revocation checking for an application on Windows
问题描述
我有一个 .NET 3.5 桌面应用程序,每当它所在的测试机器不在办公室时,它的功能就会周期性地变慢.
我设法在没有互联网连接的情况下在办公室的一台机器上复制了错误,但只有当我使用 ANTS 性能分析器时,我才能更清楚地了解正在发生的事情.
I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office.
I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on.
在 ANTS 中,我看到等待同步"最多需要 16 秒,这与当 NHibernate 尝试加载 System.Data.SqlServerCE.dll 程序集时在应用程序中看到的延迟相对应.
如果我立即再次尝试该操作,它将立即生效,但如果我将其放置 5 分钟,则下次尝试再次加载时会很慢.
In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when NHibernate tried to load the System.Data.SqlServerCE.dll assembly.
If I tried the action again immediately it would work with no delay but if I left it for 5 minutes then it would be slow to load again the next time I tried it.
从我目前的研究来看,这似乎是因为 SqlServerCE dll 已签名,因此系统正在尝试连接以获取证书吊销列表和超时.
禁用 Internet 选项 LAN 设置中的自动检测设置"设置可以解决问题,禁用检查发布者证书吊销"也是如此.
但是,将部署此应用程序的管理员不会对在每台机器或每个用户的基础上禁用证书检查的想法感到满意,因此我真的需要让 CRL 检查的应用程序级别禁用工作.
From my research so far it appears to be because the SqlServerCE dll is signed and so the system is trying to connect to get the certificate revocation lists and timing out.
Disabling the "Automatically detect settings" setting in the Internet Options LAN settings makes the problem go away, as does disabling the "Check for publishers certificate revocation".
But the admins where this application will be deployed are not going to be happy with the idea of disabling certificate checking on a per machine or per user basis so I really need to get the application level disabling of the CRL check working.
.net 2.0 中有详细记录的错误,它描述了这种行为,并通过配置文件元素提供了可能的修复.
There is the well documented bug in .net 2.0 which describes this behaviour, and offers a possible fix with a config file element.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>
这不对我有用,但是即使我使用的是 .net 3.5.
NHibernate 正在动态加载 SQLServerCE dll,我想知道它是动态的这一事实是否可能是设置不起作用的原因,但我不知道如何检查.
This is NOT working for me however even though I am using .net 3.5.
The SQLServerCE dll is being loaded dynamically by NHibernate and I wonder if the fact that it's dynamic could somehow be why the setting isn't working, but I don't know how I could check that.
任何人都可以提供有关为什么配置设置可能不起作用的建议吗?
或者是否有另一种方法可以在应用程序级别禁用检查,也许是 CAS 策略设置,我可以使用它在安装应用程序时为其设置例外?
或者我可以在应用程序中更改某些内容以提高信任级别或类似的内容吗?
Can anyone offer suggestions as to why the config setting might not work?
Or is there another way I could disable the check at the application level, perhaps a CAS policy setting that I can use to set an exception for the application when it's installed?
Or is there something I can change in the application to up the trust level or something like that?
推荐答案
如果要检查每个应用程序的吊销列表,可以在代码中指定:
You can specify in code if you want to check the revocation list per application:
ServicePointManager.CheckCertificateRevocationList = false;
这篇关于在 Windows 上禁用应用程序的证书吊销检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
