Hello,

Problem:
SslStream seems to try to open http connections to various machines on
the internet unrelated to the address of the SSL server requested.
This fails for machines not connected to the internet and causes
delays.

Details:
I am using the SslStream class to create an SSL connection to a server
program written by a partner of ours. The server is actually running
on the same machine as the client. The connection uses the address
127.0.0.1. The machine in question has no connection to the internet.

When the client calls AuthenticateAsClient, there is sometimes a delay
of 15 seconds (detailed here http://tinyurl.com/yskvum) sometimes
there is not. Looking at the network traffic with Wireshark I see that
each time there is a delay there are three attempted http requests at
the same time as the call to AuthenticateAsClient. When there is a
delay, they are there, when they are not there, neither is the delay.
I also tried connecting the machine up to the internet, the request is
there (it succeeds) and there is no delay. Once the http connection
succeeds, it is never retried again.

The addresses targeted by these requests vary each time I run the
client. They are public addresses on the internet. I have done whois
lookups on the IP addresses, they are registered to Microsoft, or
various other companies) Here are some of examples:
207.46.212.28
64.62.216.41
62.41.80.48

Questions:
Does anyone know what these http connection attempts might be?
How can I tell SslStream not to do that, or at least to fail quickly?

Thank you.

Hello,

I would guess that the SslStream is checking the revocation status of the
remote certificate.

Call the AuthenticateAsClient with the

public virtual void AuthenticateAsClient (
string targetHost,
X509CertificateCollection clientCertificates,
SslProtocols enabledSslProtocols,
bool checkCertificateRevocation
)

overload and set the checkCertificateRevocation to false.

Best regards,
Henning Krause

"davidkclark" <davidkclark (AT) gmail (DOT) com> wrote

On Mar 27, 4:06 pm, "Henning Krause [MVP - Exchange]"
<newsgroups_rem... (AT) this (DOT) infinitec.de> wrote:
That is what I thought too. This is what I am doing currently:

TcpClient client = new TcpClient("127.0.0.1", 50051);
SslStream ssl = new SslStream(client.GetStream(), false, new
RemoteCertificateValidationCallback(ValidateServer Certificate), null);
ssl.AuthenticateAsClient("", null,
System.Security.Authentication.SslProtocols.Ssl3, false);

My ValidateServerCertificate does simply: return true;

So it really should not be checking the revocation list... (I guess
that it is possible that it is the SSL server doing the check...)

Thanks for your help

In fact, now that I check the docs again, the default (when you just
pass it the hostname string) is for it not to check the revocation
list:

http://msdn2.microsoft.com/en-us/library/ms145060.aspx

If my memory serves me right, the behavior might be expected.

First, validation of the certificate may require the download of certificates of the parent authorities.

Second, as it was correctly mentioned, validating the cert includes checking its revocation list. And I would really *not* recommend to drop this check, since without it you still will be able to connect say to a phishing site after its certificate was revoked by the issuing authority.

It's a question though why the verification takes that long. Although the delays like that might be rarely expected, those should not be common. I would suspect there is something wrong either with the network, or with the cert you provide, but honestly have no really deep thoughts on that.

Thanks,
Eugene V. Bobukh

"davidkclark" <davidkclark (AT) gmail (DOT) com> wrote

Thanks for your thoughts Eugene,

I understand where you are coming from with your suggestions about not
dropping the revocation check. However, as the machines involved are
not actually connected to the internet there is no possible way at all
for these requests to succeed. The system uses a self signed
certificate (certified by a self signed root certificate) entirely on
the local network only. I know this is perhaps not the recommended
setup, but surely it should be possible to make an SSL connection
between two machines not connect to the internet. I have told it not
to check the revocation list, I do not do anything with the
certificate in either of the two available callbacks.

I do not read anywhere in the SslSteam (etc.) docs that for the
connection to work the machines have to have an open route to the
internet via port 80. Indeed, the request does not fail - it just
takes 15 seconds some times. I see three SYN packets try to get out on
port 80 each time there is the 15 seconds delay. Each of these SYN
packets happen at an interval of about 5 seconds. 5 * 3 = 15.

Thanks.