none
Recovering from SSL/TLS failure during GPO update RRS feed

  • Question

  • My desktop application is failing to negotiate TLS during the window when root certificates are updated by group policy.

    The error is the one in the article: "A certificate chain was processed, but terminated in a root certificate which was not trusted by the trust provider"

    I thought I could get around this by catching the exception and trying again, however what I've noticed is it seems once the application fails to get this certificate that state is remembered for the life of the application.

    As an example, if I close and reopen the application repeatedly during the group policy update I can usually get back in within about 40 seconds. However if I keep trying within the code I still can't get after 10 minutes.

    I'm trying to get a security token using WSHttpBinding > WSTrustChannelFactory > WSTrustChannel in .NET and I've tried closing the channel and also recreating the entire object chain to the binding so I suspect caching is somewhere in System.Net which is used according to the trace logs.

    Any ideas on how I can force a re-lookup of the SSL/TLS root certificates would be appreciated because I'd rather not need to present users with a "Please close the application and try again in a few minutes" type message.

    Update: I've done some more testing and found all the web browsers (IE, Edge and Chrome) all fail to load the intranet home page (different site to my app) during this update as well with untrusted root certificate errors. Interestingly when refreshing the tabs, Edge seems to be able to recover, however IE and Chrome require you to visit the intranet homepage in a new tab to work (suspect this is related to the per process caching). I guess if the major browsers can't recover from this there's no hope for my little app.


    • Edited by Cube00 Sunday, July 12, 2020 7:50 AM
    Saturday, July 11, 2020 6:18 AM

All replies

  • This is WCF related and that relies on ServicePointManager. That class ultimately caches connection information for network calls. You will likely need to use this to recover. While I don't recommend disabling cert checking you might need to handle the change in certs via the callback. I've never seen this problem in the wild so I'm not convinced that it is simply the GPO update. Based upon the error it seems like the root cert is not trusted. This shouldn't happen for a root cert though which makes me wonder about the certs being used. 

    Michael Taylor http://www.michaeltaylorp3.net

    Saturday, July 11, 2020 1:34 PM
    Moderator