Find out what certificate revocation server an application is contacting

certificatecrltcpwcf

I'm trying to install an application on a machine running Windows XP Pro.

There are two different servers being contacted, both using the same wildcard certificate (GoDaddy). One via https, one via net.tcp with ssl. Both are WCF services.

The first (via https) worked fine from the beginning.
The TCP connection, however, fails with the error message "The revocation function was unable to check revocation because the revocation server was offline"

We got the IT guy to temporarily disable the proxy, and the TCP connection was successful, but he can't leave it off forever and we need to figure out what revocation server is being used.

According to this article on GoDaddy's support site (http://support.godaddy.com/help/article/6723/verifying-a-certificates-validity-on-your-computer), you need to have one of these open for the revocation check to succeed:

crl.godaddy.com
certificates.godaddy.com
crl.starfieldtech.com
certificates.starfieldtech.com

We can ping them all just fine with the proxy running, but the TCP connection doesn't work.

How do I troubleshoot this? Is there a good way to figure out what CRL the app is attempting to contact?

Best Answer

Open the site in your browser, open the View Certificate (usually clicking the Lock icon or similar, varies by browser). Details tab, CRL Distribution Points should be in the list with the URL(s).

Related Solutions

Linux – Why would a server not send a SYN/ACK packet in response to a SYN packet

We had this exact same problem. Just disabling TCP timestamps solved the problem.

sysctl -w net.ipv4.tcp_timestamps=0

To make this change permanent, make an entry in /etc/sysctl.conf.

Be very careful about disabling the TCP Window Scale option. This option is important for providing maximum performance over the internet. Someone with a 10 megabit/sec connection will have a suboptimal transfer if the round trip time (basically same as ping) is more than 55 ms.

We really noticed this problem when there were multiple devices behind the same NAT. I suspect that the server might have been confused seeing timestamps from Android devices and OSX machines at the same time since they put completely different values in the timestamp fields.

Iis – Hosting a WCF Service on IIS in a LAN without internet connection

So it seems that your hosts query some other names than you think, and wait for DNS servers to respond.

The proper solution would be to determine what queries are sent (sniff udp/53 or tcp/53 outgoing communication via Sysinternals network monitor or via tcpdump or via wireshark). Then insert exactly these names in "hosts" files. The confusion may be that a host tries to query "hostA.subdomainB." or "hostA.subdomainB.domainC." or it performs reverse resolution with "1.2.3.4.in-addr.arpa" for its own IP. Also it might be that your "hosts" file is not parsed correctly for whatever reason.

A second solution is to have (1) an internal DNS server, serving (2) a local DNS domain (e.g. .local). Refer to a similar question and answer https://superuser.com/questions/368861/can-i-use-dir-655-for-internal-dns. The router is not the best place to run an internal DNS server, because there is a deal of difficulty with installing it and with maintaining it, even on more advanced firmware (like DD-WRT or similar custom firmware). The D-Link routers do not support DNS server I know of in their default firmware; they have DNS forwarder (aka DNS relay) or DynamicDNS client, but it's not what you need. So it could be on another box (Linux with bind?).

Related Topic