Microsoft KB Archive/295070

= SSL (https) connection slow with one certificate but faster with others =

Article ID: 295070

Article Last Modified on 4/23/2007

-

APPLIES TO


 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q295070



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
You may notice significant response differences when you browse to a Secure Sockets Layer (SSL) site and use different client or server certificates.



CAUSE
IIS is attempting to contact and download various certificate extensions as part of the SSL negotiation process. This usually involves Certificate Revocation List (CRL) checking, which is disabled by default in IIS 4.0 but enabled by default in IIS 5.0. For information on how to change the default values for CRL checking, search the IIS online product documentation (located at http:///iishelp) for the &quot;CertCheckMode&quot; keyword.



RESOLUTION
First, make sure that the issuing Certificate Authority (CA) root certificate is installed on the client. For more information on how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

297681 Error message: This security certificate was issued by a company that you have not chosen to trust

Next, contact the CA that is responsible for issuing the certificate and have the CA change the certificate extensions to reflect a faster protocol or download location. For a Microsoft Certificate Authority that is running on Microsoft Windows 2000, this is done through a policy module.

To change the default policy module, follow these steps:
 * 1) Open the Microsoft Management Console (MMC). To do this, click Programs on the Start menu, click Administrative Tools, and then click Certificate Authority.
 * 2) Right-click the Certificate Authority (CA) MMC snap-in and click Properties.
 * 3) On the Policy Module tab, click Configure and click the X 509 Extensions tab. The changes above will be reflected in all subsequently issued certificates.

NOTE: Existing certificates cannot be changed!

NOTE: You may also have to perform the previous steps on intermediate CAs.



WORKAROUND
If the CA that issued your certificate cannot change the certificate extensions to reflect a faster protocol or download location (because the certificate was issued by a third party such as Verisign), fix any network or name resolution problems that may be preventing IIS from downloading files (usually .crl or .crt files) from the servers that are listed in the certificate's extensions.

To troubleshoot this, copy the URLs from the certificate's extensions and paste them into the browser on the IIS server, then use the Microsoft Network Monitor or the Wfetch.exe utility to identify any name resolution or network latency issues as the browser attempts to contact and download the extension files.

For more information about the Wfetch.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

284285 How to use Wfetch.exe to troubleshoot HTTP connections



STATUS
This behavior is by design.



MORE INFORMATION
View the certificate's certification path and note the extension details for each certificate in the path. The differences in response time are related to these extensions.

For example, view the CRL Distribution Point (CDP) extension details. If IIS is using client certificates, it attempts to locate and download a CRL from each certificate in the path, starting with the first CDP in the list and moving downward.

For example, a CDP that is using an LDAP protocol and pulling the CRL from a LDAP folder may take longer than a CDP that is using an HTTP protocol and pulling the CRL from the local IIS server by using an HTTP GET command.

The following is a sample CDP extension:

NOTE: IIS starts from the first CDP and works downward. [1]CRL Distribution Point Distribution Point Name: Full Name:

URL=http://Caserver.domain.com/CertEnroll/CArootCertifiateName.crl

[2]CRL Distribution Point Distribution Point Name: Full Name:

URL=ldap:///CN=LDAPCAserver.domain.com,CN=CDP,CN=Configuration, DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

[3]CRL Distribution Point Distribution Point Name: Full Name:

URL=file://\\Caserver.domain.com\CertEnroll\CArootCertifiateName.crl The Authority Information Access (AIA) extension also starts from the first URL and works downward.

The following is a sample AIA extension: [1]Authority Info Access Access Method=Certification Authority Issuer(1.3.6.1.5.5.7.48.2) Alternative Name:

URL=http://CAserverName.domain.com/CertEnroll/CAserverName_CArootCertifiateName.crt

[2]Authority Info Access Access Method=Certification Authority Issuer(1.3.6.1.5.5.7.48.2) Alternative Name:

URL=file://\\CAserverName.domain.com\CertEnroll\CAserverName_CArootCertifiateName.crt

