none
Extreme slow WCF communication on some customers RRS feed

  • Question

  • We have experienced some issues at customers where our application is running very slow. 

    I will describe the solution and then what we can see in the log files.

    We are using WCF for communicating between client and server. The services are hosted as a Windows Service Host. We have two Windows Service running on the server that uses TCP with localhost endpoint address to communicate together.

    X509 certificate 

    We are using certificate to identify and encrypt the communication. For that we have self-signed certificated. We have added an X509CertificateValidator to custom validate the certificate.

    public override void Validate(X509Certificate2 certificate)
    {
        // Check that there is a certificate.
        if (certificate == null)
        {
            throw new ArgumentNullException("certificate");
        }
    
        if (ValidCertificates.Any(cert => cert.Equals(certificate)))
        {
            return;
        }
    
        PeerOrChainTrust.Validate(certificate);
    }

    This all works at most customers and internal during verification. 

    Symptoms:

    What we see is that all WCF calls are very slow. The actual execution time of any call to a service is fast (< 10 ms), but the time from trying to contact the service, to receiving the feedback is slow (10 sec).

    So the user experience extreme slow application.

    In the Event Viewer the following event is logged many time: CAPI2 

    Environment:

    • Setup #1: Isolated system. No access to customer network or internet
    • Setup #2: Access to customer network including internet access.
    • Setup #3: Access to customer network, no internet access

    Two different customers with Setup #1 experience different behavior. One of them are having problems, the other one is not.

    All customers with Setup #2 does not have any problems.

    We have one customer with Setup #3, with problems. The internet was blocked with a webpage for entering username and password to access the internet. The problem disappeared for this customer after the internet access where granted.

    Reproducible:

    We have tried to replicate the Setups that gave the problems, but we are not able to reproduce this internally.

    The strange thing is that this only happens at some environments. I am trying to think and read about any issues a self-signed certificate can have and the Automatic Root Update feature.

    Hope any one can help understanding what is happening. 

    Reference:

    http://msdn.microsoft.com/en-us/library/aa354512(v=vs.110).aspx

    http://arstechnica.com/security/2012/06/microsoft-overhauls-certificate-management-in-response-to-flame-pki-hack/

    http://scn.sap.com/community/security/blog/2013/09/29/ssl-signed-vs-self-signed-certificates

    http://stackoverflow.com/questions/4095297/self-signed-certificates-performance-in-wcf-scenarios

    UPDATE 1:

    What I need to know is how the whole certificate works in Windows. We did some network monitoring internal and saw that our process executable makes a request on windows update for the authrootslt.cab file. Not something that our code are doing. This doesn't happen if the machine is offline (not connected to internet).

    What triggers an update of the authrootslt.cab and how often is it done? What if it fails, what are the fallback? In what circumstance does the "Automatic root certificate update" not trigger?

    Friday, March 28, 2014 2:35 PM

All replies