Ssl – How to Disable CRL Checks For A Windows 2008 App Using WinHTTP

crlnetworkingsslwindows-server-2008

I've got a Windows 2008 server with an app that uses WinHTTP for SSL sessions. The server is isolated from the internet but still tries to connect to CRL distribution points, which leads to some timeouts.

Since the server has no access to the internet whatsoever, I'd like to disable CRL checks.

I had a similar issue on a Windows 2003 server and resolved it by adjusting the following registry keys:

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Http/Parameters/SslBindiongInfo/0.0.0.0:443/DefaultSslCertCheckMode (DWORD=1)

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Rasman/PPP/EAP/13/NoRevocationCheck (DWORD = 1)

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Rasman/PPP/EAP/13/NoRootRevocationCheck (DWORD = 1)

That doesn't seem to be working in 2008. I've also tried disabling the CRL check from IE under Tools >> Internet Options >> Advanced.

Is there anything else I can try here?

Best Answer

I don't, but would it work to blackhole the crl server(s)? You can add 127.0.0.1 crl.host.domainnaame to the hosts file.

An example of this for another application is here:

Exchange Server 2007 managed code services do not start after you install an update rollup for Exchange Server 2007
http://support.microsoft.com/kb/944752

Best Answer

Related Solutions

How to increase maximum connection backlog limit in windows 2008 server

Are there certain specific host file entries that Windows 2008 will ignore for security purposes

Related Topic