locked
On my Surface RT/RT2/Pro2, UpgradeToSslAsync is too slow on both Win8/Win8.1

    Question

  • Dear all,

    I am working on a project for Surface RT/RT2 and Surface Pro2.

    In my recent work, I found that UpgradeToSslAsync is too slow on Win8/Win8.1 on the devices. When I connect one of our company’s website with its FQDN (it is accessible from both intranet and Internet) within our intranet without any DNS/proxy configured, the issue occurs with a high probability.

    Given this website is https://xxx.a.com. If I access it from IE, it is about 20~40 seconds to succeed. However, my program will take about 150 seconds to succeed.

    My program follows StreamSocket.UpgradeToSslAsync to make the connection. Because we've implemented the classic BSD socket API with streamsocket, there are two steps to make the connection: a) get the IP of xxx.a.com, then make a plain connection to it; After it succeeds, b) upgrade the connection to SSL with host xxx.a.com.

    Step a) is very fast, but the issue occurred at step b). It will wait more than 145 seconds before the completed event of UpgradeToSslAsync comes.

    The issue doesn't occur each time. It maybe there or not after I reinstall my program or reboot the machine.

    Another point is that if we connect the website within an intranet environment, it works well.

    Further tests showed that for any website(IP or FQDN), the connectAsync with SSL or uprade to SSL will all be very slow.

    I don’t know why this happened. Would you please give me some suggestion? Thank you very much!



    • Edited by B0L Tuesday, January 14, 2014 5:21 AM
    Friday, December 6, 2013 6:37 AM

Answers

  • Since this is a problem specific to your environment you should open a case with support to diagnose what in your environment is causing this.

    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Monday, December 9, 2013 4:04 PM
    Moderator
  • It finally turned out to be an "issue" of the system configuration.

     

    In short, we should reduce the timeout period for the certificate revocation check.

     

    For the complete answer, please follow me!

    1. Start the "Group Client Policy" service. By default it is forbidden to run.

    2. Run "gpedit.msc", in the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.

    3. Double-click Certificate Path Validation Settings, and then click the Network Retrieval tab.

    4. Select the Define these policy settings check box.

    5. Under Default retrieval timeout settings, change the value in the Default URL retrieval timeout (in seconds) box to 1 (or other values, you could have a test to them), and then click OK to apply the new settings.

     

    You could get some info here:

    http://technet.microsoft.com/en-us/library/cc771429.aspx

     

    After the above change, the SSL upgrade is very quick! It also applies to the connectAsync with SSL.

     

    Hope the solution would do help to others!


    • Marked as answer by B0L Tuesday, January 14, 2014 5:20 AM
    • Edited by B0L Tuesday, January 14, 2014 5:22 AM
    Tuesday, January 14, 2014 5:20 AM

All replies

  • Since this is a problem specific to your environment you should open a case with support to diagnose what in your environment is causing this.

    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Friday, December 6, 2013 2:59 PM
    Moderator
  • Hi, Jeff, thanks for caring this question.

    This is not a special case. There is another software of our company which uses the WinSock. It also has this issue.

    What makes me confused is that this issue couldn't be reproduced all the time for the stream socket or the WinSock. It may occur or disappear after rebooting my devices, or re-install the software.

    Sunday, December 8, 2013 1:25 PM
  • Since this is a problem specific to your environment you should open a case with support to diagnose what in your environment is causing this.

    Jeff Sanders (MSFT)

    @jsandersrocks - Windows Store Developer Solutions @WSDevSol
    Getting Started With Windows Azure Mobile Services development? Click here
    Getting Started With Windows Phone or Store app development? Click here
    My Team Blog: Windows Store & Phone Developer Solutions
    My Blog: Http Client Protocol Issues (and other fun stuff I support)

    Monday, December 9, 2013 4:04 PM
    Moderator
  • OK. Thanks. I will do more debugging in my env....
    Thursday, December 12, 2013 4:15 AM
  • It finally turned out to be an "issue" of the system configuration.

     

    In short, we should reduce the timeout period for the certificate revocation check.

     

    For the complete answer, please follow me!

    1. Start the "Group Client Policy" service. By default it is forbidden to run.

    2. Run "gpedit.msc", in the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.

    3. Double-click Certificate Path Validation Settings, and then click the Network Retrieval tab.

    4. Select the Define these policy settings check box.

    5. Under Default retrieval timeout settings, change the value in the Default URL retrieval timeout (in seconds) box to 1 (or other values, you could have a test to them), and then click OK to apply the new settings.

     

    You could get some info here:

    http://technet.microsoft.com/en-us/library/cc771429.aspx

     

    After the above change, the SSL upgrade is very quick! It also applies to the connectAsync with SSL.

     

    Hope the solution would do help to others!


    • Marked as answer by B0L Tuesday, January 14, 2014 5:20 AM
    • Edited by B0L Tuesday, January 14, 2014 5:22 AM
    Tuesday, January 14, 2014 5:20 AM