locked
CLR contacting crl.verisign.net when starting authenticode signed app RRS feed

  • Question

  •  

    I have noticed that each time I am launching a .NET application signed with Authenticode, the CLR tries to contact CRL.VERISIGN.NET for updating the system list of revoked certificates.

     

    On computers having an IP connectivity but where connecting to CRL.VERISIGN.NET is impossible (firewall blocking access for example), the launch time could take up to 2 minutes ! This may happen in some companies where internet access is restricted.

     

    As our software is Vista Certified, we can not remove the authenticode signature, but in the same time, it is not acceptable by our customers to have a software that could take minutes to launch !

     

    Is there any way to tell the CLR not to contact the Verisign revokation list ?

     

    PS: This problem does not happen with Win32 app signed with authenticode. This is another very annoying problem brought by the framework !

    Tuesday, January 8, 2008 3:42 PM

All replies

  • Did you get a solution ?

    Well I try to disable the Cert lookup on crl.versisign.com but it doesn´t work...
    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/0c08d268-1634-4486-8382-b735e295b3aa.mspx?mfr=true


    Had onyone information or solution ?

    Thanks
    Eckhard Schulz

    Thursday, March 6, 2008 9:54 AM
  • If you add this to your machine/app config then it will disable the authenticode-sign check:

    <configuration>

                    <runtime>

                                    <generatePublisherEvidence enabled="false"/>

                    </runtime>

    </configuration>



    Regards,
    Csaba
    • Proposed as answer by Ben_F Wednesday, July 14, 2010 7:55 AM
    Tuesday, September 30, 2008 6:45 PM
  • Hello Csaba,

     

    I am also having the same problem. I have not been able to try your suggestion yet, but I will.

     

    Can you tell me why the application is always try to go to crl.verisign.net? At a client site this is happening always, but on our test systems it does not happen at all.

     

    Is it possible that there is some security setting that is stopping them from updating their certificates so it keeps on trying? I would prefer to fix this rather than stop the application from trying to complete what it needs to do.

     

    Thanks,

    Mark.

     

    Wednesday, October 1, 2008 9:15 AM
  • Hi,

    I encountered the same problem with a .NET VB application without authenticode.
    Your solution in app.config works well!

    Thanks
    Thursday, February 19, 2009 10:52 AM
  • The app.config modification did the trick for me. Thanks for sharing. My app was taking over a minute to load a crystal report - this fixed it!
    Friday, July 2, 2010 12:35 AM
  •  

    Hi,

    Thanks for all the comments and ideas above.

    There is an add-in that keeps calling verisign on a subnet that doesn't have access to the internet and loading any add-in in Office makes any of the Office product open very slow -1-2 minutes delay.

    I have tried the following

    Added to machine.config of .NETv2.0.50727 Config

    From:

      </configProtectedData>

      <runtime / >

      <connectionStrings>

    To

      </configProtectedData>

      <runtime>

    <generatePublisherEvidence enabled="false"/>

      </runtime>

      <connectionStrings>

    Test: same results, timeout from crl.verising.net

     

    IE change: IE>Options>Advanced>security

    Unchecked Check for publisher's certificate revocation

    test:Still checking crl.verisign.net but down to 60 sec instead of 1.5 min

     

    IE change: IE>Options>Advanced>security

    Unchecked Check for signature on downloaded programs

    Test:Still tries and times out on verising.net

     

    Create app.config for app.

    Create AddInName.dll.config in C:\Program Files\AddInsFolder with

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

      <runtime>

         <generatePublisherEvidence enabled="false" />

      </runtime>

    </configuration>

    Test:Still tries and times out on verising.net

     

    Timeout registry setting

    HKEY_CURRENT_USER\Software\Microsoft\VSTO

    Add dword AddInTimeout subkey, set the time-out value in milliseconds = 1000 (1s)

    Test:Still tries and times out on verising.net

     

    at this point, I am not sure I am grasping the .Net config properly.

     

    As per Filemon, Addin reads the config files from .NETv2.0.50727 (latest on machine 3.5 SP1 in the addinprocess32.exe.config of that version, publisherevidence is always set to false))

    I am sure the config files are read by MSWord but seems to ignore my requests for not generating Publisher Evidence.

     

    As this point, should I be asking to the Add-in developper to make change to the Add-in or does this only have to do with configuring .Net framework on the machine?

    • Edited by KitKatNeko Thursday, January 20, 2011 2:58 PM typo
    Wednesday, January 19, 2011 5:41 PM
  • Could someone please tell me where in the machine.config file I would put that code? Thanks.
    Thursday, March 8, 2012 4:29 PM