Kbase P119917: .NET Open Client application connects to "crl.verisign.com"
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
2/6/2009 |
|
Status: Verified
SYMPTOM(s):
.NET Open Client application connects to "crl.verisign.com"
For 10.1A01 the crl url is http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
For 10.0B03 is http://crl.verisign.com/Class3CodeSigning2001.crl
FACT(s) (Environment):
If Internet explorer is configured not to update expired certificates, the Verisign server is not connected.
Performance problems occurs if the machine does not have Internet access.
OpenEdge 10.x
Windows
CAUSE:
This is expected behavior.
Each time one of the dlls ("progress.o4glrt.dll", "progress.messages.dll" or "progress.ssl.dll") is being loaded - the crl url will be accessed to double check if this certificate has been revoked.
FIX:
There are 2 ways to work around this behavior:
1. Use signcode utility from Microsoft and then use your own CA root certificate (with crl using url pointing to your intranet site, or without crl url) and re-sign the 3 dlls ("progress.o4glrt.dll", "progress.messages.dll" or "progress.ssl.dll") .
These dlls would then contain your digital certificate and outbound connection would not be attempted to check crl url.
OR
2. Modify the .NET applications .config file (i.e. MyApplication.exe.config) and turn off the default .NET runtime behavior of validating the digital signatures of signed DLL's.
If no .config file is used by the .NET application, it has to be created by adding a new "Application Configuration File" in the .NET project. When building the .NET solution, the "MyApplication.exe.config" file will be automatically created where the executable is generated (Debug or Release folder depending on which version is built).
A sample .NET configuration file which does this is shown below:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<runtime>
<generatePublisherEvidence enabled="false"/>
</runtime>
</configuration>