Ask a Question

Verifying client certificate takes multiple seconds in specific server

0 votes
by (270 points)

Rebex takes around ~15 seconds to verify client certificate during handshake.
I was able to reproduce this only in 1/3 environments. In good functioning servers it's being done in milliseconds. This begs me to believe that it might be server hw/software/configuration issue. But I have no clue where to even begin.

Between logs "Verifying client certificate" and "Certificate verification result"
15 seconds have passed.

Trimmed down log, full one exceeds character limit:

2022-10-28 14:16:23.322 DEBUG TlsSocketEx(2)[55] TLS: HandshakeMessage:CertificateVerify was received.
2022-10-28 14:16:23.322 DEBUG TlsSocketEx(2)[55] TLS: Verifying client certificate ('CN=200357313011108512328466, OU=TestPOS, O=EPS LT UAB - i.k. 302413851, L=Savanoriu pr. 123A Vilnius 03150, S=Lithuania, C=LT').
2022-10-28 14:16:38.329 DEBUG TlsSocketEx(2)[55] TLS: Certificate verification result: Accept
2022-10-28 14:16:38.329 VERBOSE TlsSocketEx(2)[55] TLS: Received TLS packet:
0000 |14-03-03-00-01-01 | ......
2022-10-28 14:16:38.329 DEBUG TlsSocketEx(2)[55] TLS: CipherSpec:ChangeCipherSpec was received.
2022-10-28 14:16:38.329 VERBOSE TlsSocketEx(2)[55] TLS: Received TLS packet:
0000 |16-03-03-00-10-14-00-00 0C-BC-F8-CF-D1-5B-7E-A9| .............[~.
0010 |96-C2-D5-CF-7E | ....~
2022-10-28 14:16:38.329 DEBUG TlsSocketEx(2)[55] TLS: HandshakeMessage:Finished was received.

Applies to: Rebex TLS

1 Answer

+1 vote
by (147k points)

Rebex TLS does not validate certificates on its own, but uses the operating system for that purpose via .NET Framework API (unless running on .NET Compact Framework, where our libraries do validate certificates as well). This means that the slowdown most likely occurs outside Rebex libraries.

If the application is running on Windows, you can gain some insight into the validation process using the certutil tool. To run the tool, retrieve the server's certificate chain using the following code and save it to a file:

// connect to a server and negotiate a session without verifying the certificate
var client = new TlsClientSocket();
client.Connect(serverName, serverPort);
client.Parameters.CertificateVerifier = CertificateVerifier.AcceptAll;
client.Negotiate();

// save the certificate chain in a format compatible with Windows 'certutil' tool
var sb = new StringBuilder();
foreach (var cert in client.ServerCertificate)
{
    var buffer = new MemoryStream();
    cert.Save(buffer, CertificateFormat.Base64Der);
    sb.Append(Encoding.ASCII.GetString(buffer.ToArray()));
}
File.WriteAllText("chain.crt", sb.ToString());

Then, run the certutil tool on it in the same environment where the slowdown occurs:

certutil -verify -urlfetch chain.crt

Does the slowdown occur as well with certutil?

by (270 points)
edited by
Yes, slowdown occurs with certutil as well.
This pointed to the root cause https://sudonull.com/post/79422-An-unexpected-feature-of-certificate-verification-in-Windows
by (147k points)
Thanks for the update! We have not encountered that particular issue before, so thanks for the link as well!
...