在Windows上禁用对应用程序的证书吊销检查 [英] Disabling certificate revocation checking for an application on Windows

问题描述

我有一个.NET 3.5桌面应用程序，当它的测试机是在办公室时，已经显示定期的功能减速。

我设法在一台机器上复制错误办公室没有互联网连接，但只有当我使用ANTS性能分析器，我有一个更清晰的图片，看到发生了什么。

在ANTS中，我看到一个等待同步花费了16秒，对应于我可以看到在应用程序中NHibernate试图加载System.Data .SqlServerCE.dll程序集。

如果我立即尝试该操作，它会工作，没有延迟，但如果我离开了5分钟，那么下次我尝试加载会很慢。 / p>

从我的研究到目前为止，似乎是因为SqlServerCE dll是有签名的，所以系统试图连接获取证书撤销列表和超时。

禁用Internet选项LAN设置中的自动检测设置设置会导致问题消失，同时禁用检查发布者证书撤销。

但是，此应用程序的管理员被部署不会满意对每个机器或每个用户禁用证书检查的想法，所以我真的需要让应用程序级别禁用CRL检查工作。

.net 2.0中有一个很好的文档描述了这种行为，并提供了一个可能的修复配置文件元素。

 <？xml version =1.0encoding =utf-8？> 
< configuration> 
< runtime> 
< generatePublisherEvidence enabled =false/> 
< / runtime> 
< / configuration> 
  

这是不为我工作，尽管我使用.net 3.5。

SQLServerCE dll正由NHibernate动态加载，我不知道它的动态的事实可能是为什么设置不工作，但我不知道如何检查。

任何人都可以提供有关为什么配置设置可能不起作用的建议？

或者还有另一种方法可以禁用应用程序级别的检查，也许是一个CAS策略设置，我可以用它来为应用程序安装时设置一个异常？

或者有什么我可以在应用程序中更改信任级别或类似的东西？ p>

解决方案

您可以在代码中指定是否要检查每个应用程序的撤销列表：

  ServicePointManager.CheckCertificateRevocationList = false; 
  

I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office.
I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on.

In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when NHibernate tried to load the System.Data.SqlServerCE.dll assembly.
If I tried the action again immediately it would work with no delay but if I left it for 5 minutes then it would be slow to load again the next time I tried it.

From my research so far it appears to be because the SqlServerCE dll is signed and so the system is trying to connect to get the certificate revocation lists and timing out.
Disabling the "Automatically detect settings" setting in the Internet Options LAN settings makes the problem go away, as does disabling the "Check for publishers certificate revocation".
But the admins where this application will be deployed are not going to be happy with the idea of disabling certificate checking on a per machine or per user basis so I really need to get the application level disabling of the CRL check working.

There is the well documented bug in .net 2.0 which describes this behaviour, and offers a possible fix with a config file element.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

This is NOT working for me however even though I am using .net 3.5.
The SQLServerCE dll is being loaded dynamically by NHibernate and I wonder if the fact that it's dynamic could somehow be why the setting isn't working, but I don't know how I could check that.

Can anyone offer suggestions as to why the config setting might not work?
Or is there another way I could disable the check at the application level, perhaps a CAS policy setting that I can use to set an exception for the application when it's installed?
Or is there something I can change in the application to up the trust level or something like that?

解决方案

You can specify in code if you want to check the revocation list per application:

ServicePointManager.CheckCertificateRevocationList = false;

这篇关于在Windows上禁用对应用程序的证书吊销检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！