Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: difference between X509RevocationMode.Offline and X509RevocationMode.Online #64689

Closed
heng-liu opened this issue Feb 2, 2022 · 5 comments
Closed

Question: difference between X509RevocationMode.Offline and X509RevocationMode.Online #64689

heng-liu opened this issue Feb 2, 2022 · 5 comments
Labels
area-System.Security question Answer questions and provide assistance, not an issue with source code or documentation.
Milestone
Future

Comments

@heng-liu
Copy link

heng-liu commented Feb 2, 2022

Issue NuGet/Home#11548 says setting NUGET_CERT_REVOCATION_MODE to offline makes the restore much faster on windows (from 5m 39s to 1m 22s)
The only difference from NuGet side is the value of X509RevocationMode(online to offline), which is set before chain building.
From the doc, we can see the difference between offline and online is:
Offline: A revocation check is made using a cached certificate revocation list (CRL).
Online: A revocation check is made using an online certificate revocation list (CRL).

May I know if there is any other difference(e.g. OCSP )between the two modes? Just wonder why there is a big difference in restore time.

From the doc, there is a note
Specifying an online check can result in a long delay while the certificate authority is contacted.
May I know if you've done any test comparing the two mode? Thanks!
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Security untriaged New issue has not been triaged by the area owner labels Feb 2, 2022
@ghost
Copy link

ghost commented Feb 2, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Issue NuGet/Home#11548 says setting NUGET_CERT_REVOCATION_MODE to offline makes the restore much faster on windows (from 5m 39s to 1m 22s)
The only difference from NuGet side is the value of X509RevocationMode(online to offline), which is set before chain building.
From the doc, we can see the difference between offline and online is:
Offline: A revocation check is made using a cached certificate revocation list (CRL).
Online: A revocation check is made using an online certificate revocation list (CRL).

May I know if there is any other difference(e.g. OCSP )between the two modes? Just wonder why there is a big difference in restore time.

From the doc, there is a note
Specifying an online check can result in a long delay while the certificate authority is contacted.
May I know if you've done any test comparing the two mode? Thanks!

Author: heng-liu
Assignees: -
Labels:

area-System.Security, untriaged
Milestone: -

@heng-liu
Copy link
Author

heng-liu commented Feb 2, 2022

cc @loic-sharma @JonDouglas @nkolev92

@bartonjs bartonjs added question Answer questions and provide assistance, not an issue with source code or documentation. and removed untriaged New issue has not been triaged by the area owner labels Feb 2, 2022
@bartonjs bartonjs added this to the Future milestone Feb 2, 2022
@bartonjs
Copy link
Member

bartonjs commented Feb 2, 2022
edited
Loading

The behavioral differences come from the Windows OS, they're a black box to .NET. When the mode is Offline we set the CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY flag when calling CertGetCertificateChain.

In Online mode the OS might prefer to check live OCSP over using a longer-lifed cached CRL, but that's speculation.

@heng-liu
Copy link
Author

heng-liu commented Feb 2, 2022

Thanks @bartonjs !
We're considering checking the time spend on chain building, and see if the most time consuming chain buildings have some certificate in common, so that we could locate the problematic certificate if there is any.
But my concern is, if the problem is caused by anything else(not certificate related), e.g. the first call failed if PKI isn't setup correctly, or CRL caching is slow, we will not be able to know any of this, as we only have the time spend on the whole chain building, and there is no more granular data for us to investigate.
So I'm wondering if you have any suggestions, or any referral of experts might know how to investigate this. Thanks!

@bartonjs
Copy link
Member

bartonjs commented Mar 5, 2022

Windows has telemetry for chain building, which is opt-in. The instructions for turning it on are at https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296(v=ws.10)?redirectedfrom=MSDN

@bartonjs bartonjs closed this as completed Mar 5, 2022
@loic-sharma loic-sharma mentioned this issue Mar 5, 2022
Open
@ghost ghost locked as resolved and limited conversation to collaborators Apr 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security question Answer questions and provide assistance, not an issue with source code or documentation.
Projects
None yet
Milestone
Future
Development

No branches or pull requests
2 participants
@bartonjs @heng-liu