Disabling certificate revocation checking for an application on Windows

c# nhibernate certificate code-access-security certificate-revocation
Colm Clarke picture Colm Clarke · Nov 4, 2013 · Viewed 17.1k times · Source

I have a .NET 3.5 desktop application that had been showing periodic slow downs in functionality whenever the test machine it was on was out of the office.
I managed to replicate the error on a machine in the office without an internet connection, but it was only when i used ANTS performance profiler that i got a clearer picture of what was going on.

In ANTS I saw a "Waiting for synchronization" taking up to 16 seconds that corresponded to the delay I could see in the application when NHibernate tried to load the System.Data.SqlServerCE.dll assembly.
If I tried the action again immediately it would work with no delay but if I left it for 5 minutes then it would be slow to load again the next time I tried it.

From my research so far it appears to be because the SqlServerCE dll is signed and so the system is trying to connect to get the certificate revocation lists and timing out.
Disabling the "Automatically detect settings" setting in the Internet Options LAN settings makes the problem go away, as does disabling the "Check for publishers certificate revocation".
But the admins where this application will be deployed are not going to be happy with the idea of disabling certificate checking on a per machine or per user basis so I really need to get the application level disabling of the CRL check working.

There is the well documented bug in .net 2.0 which describes this behaviour, and offers a possible fix with a config file element.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

This is NOT working for me however even though I am using .net 3.5.
The SQLServerCE dll is being loaded dynamically by NHibernate and I wonder if the fact that it's dynamic could somehow be why the setting isn't working, but I don't know how I could check that.

Can anyone offer suggestions as to why the config setting might not work?
Or is there another way I could disable the check at the application level, perhaps a CAS policy setting that I can use to set an exception for the application when it's installed?
Or is there something I can change in the application to up the trust level or something like that?

Answer

AnotherDeveloper picture AnotherDeveloper · Nov 12, 2013

You can specify in code if you want to check the revocation list per application:

ServicePointManager.CheckCertificateRevocationList = false;

Related questions

NHibernate.MappingException: No persister for: XYZ

Now, before you say it: I did Google and my hbm.xml file is an Embedded Resource. Here is the code I am calling: ISession session = GetCurrentSession(); var returnObject = session.Get<T>(Id); Here is my mapping file …

Read More
Best way to convert IList or IEnumerable to Array

I have a HQL query that can generate either an IList of results, or an IEnumerable of results. However, I want it to return an array of the Entity that I'm selecting, what would be the best way of accomplishing …

Read More
How does TransactionScope roll back transactions?

I'm writing an integration test where I will be inserting a number of objects into a database and then checking to make sure whether my method retrieves those objects. My connection to the database is through NHibernate...and my usual …

Read More