 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / March 2007SslSteam causes spurious http connection attempts
Hello, Problem: SslStream seems to try to open http connections to various machines on the internet unrelated to the address of the SSL server requested. This fails for machines not connected to the internet and causes delays. Details: I am using the SslStream class to create an SSL connection to a server program written by a partner of ours. The server is actually running on the same machine as the client. The connection uses the address 127.0.0.1. The machine in question has no connection to the internet. When the client calls AuthenticateAsClient, there is sometimes a delay of 15 seconds (detailed here http://tinyurl.com/yskvum) sometimes there is not. Looking at the network traffic with Wireshark I see that each time there is a delay there are three attempted http requests at the same time as the call to AuthenticateAsClient. When there is a delay, they are there, when they are not there, neither is the delay. I also tried connecting the machine up to the internet, the request is there (it succeeds) and there is no delay. Once the http connection succeeds, it is never retried again. The addresses targeted by these requests vary each time I run the client. They are public addresses on the internet. I have done whois lookups on the IP addresses, they are registered to Microsoft, or various other companies) Here are some of examples: 207.46.212.28 64.62.216.41 62.41.80.48 Questions: Does anyone know what these http connection attempts might be? How can I tell SslStream not to do that, or at least to fail quickly? Thank you. Hello, I would guess that the SslStream is checking the revocation status of the remote certificate. Call the AuthenticateAsClient with the public virtual void AuthenticateAsClient ( string targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, bool checkCertificateRevocation ) overload and set the checkCertificateRevocation to false. Best regards, Henning Krause > Hello, > [quoted text clipped - 33 lines] > > Thank you. On Mar 27, 4:06 pm, "Henning Krause [MVP - Exchange]" <newsgroups_rem...@this.infinitec.de> wrote: > I would guess that the SslStream is checking the revocation status of the > remote certificate. That is what I thought too. This is what I am doing currently: TcpClient client = new TcpClient("127.0.0.1", 50051); SslStream ssl = new SslStream(client.GetStream(), false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null); ssl.AuthenticateAsClient("", null, System.Security.Authentication.SslProtocols.Ssl3, false); My ValidateServerCertificate does simply: return true; So it really should not be checking the revocation list... (I guess that it is possible that it is the SSL server doing the check...) Thanks for your help In fact, now that I check the docs again, the default (when you just pass it the hostname string) is for it not to check the revocation list: http://msdn2.microsoft.com/en-us/library/ms145060.aspx If my memory serves me right, the behavior might be expected. First, validation of the certificate may require the download of certificates of the parent authorities. Second, as it was correctly mentioned, validating the cert includes checking its revocation list. And I would really *not* recommend to drop this check, since without it you still will be able to connect say to a phishing site after its certificate was revoked by the issuing authority. It's a question though why the verification takes that long. Although the delays like that might be rarely expected, those should not be common. I would suspect there is something wrong either with the network, or with the cert you provide, but honestly have no really deep thoughts on that. Thanks, Eugene V. Bobukh > On Mar 27, 4:06 pm, "Henning Krause [MVP - Exchange]" > <newsgroups_rem...@this.infinitec.de> wrote: [quoted text clipped - 15 lines] > > Thanks for your help Thanks for your thoughts Eugene, I understand where you are coming from with your suggestions about not dropping the revocation check. However, as the machines involved are not actually connected to the internet there is no possible way at all for these requests to succeed. The system uses a self signed certificate (certified by a self signed root certificate) entirely on the local network only. I know this is perhaps not the recommended setup, but surely it should be possible to make an SSL connection between two machines not connect to the internet. I have told it not to check the revocation list, I do not do anything with the certificate in either of the two available callbacks. I do not read anywhere in the SslSteam (etc.) docs that for the connection to work the machines have to have an open route to the internet via port 80. Indeed, the request does not fail - it just takes 15 seconds some times. I see three SYN packets try to get out on port 80 each time there is the 15 seconds delay. Each of these SYN packets happen at an interval of about 5 seconds. 5 * 3 = 15. Thanks. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.