SSL connection issues when using client certificate authentication

Posted on Friday, April 4, 2014 by Nicki de Wet

The SSL subsystem in Windows has a limitation as to the maximum size of the Trusted Issuers list the server sends to the client during the client certificate authentication process. This causes the list to be truncated, and if the issuer of your client certificate is not listed, causes the authentication to fail with the following message

HTTP/1.1 403 Forbidden
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 04 Apr 2014 10:00:13 GMT
This will be accompanied by an entry with Event ID 36885 in the Windows System Eventlog
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

There are two approaches to fix this:

  • remove certificates from the list of Trusted Issuers (not always easy or safe, you might delete certificates required by the operating system or other installed software), or
  • create a registry setting that will cause the SSL subsystem to no longer send the list of Trusted Issuers to the client
I personally prefer the 2nd option, as there is less chance of disaster IMHO.

HTTP client, SSL and CRL check

Posted on Tuesday, November 26, 2013 by Nicki de Wet

We recently experienced a severe spike in latency of our one applications that uses HttpWebRequest to connect to a remote service over SSL under high load. After looking at it from a lot of angles, the thought of the certificate verification being blocked seemed like a possible cause, especially since the application is hosted in a locked-down DMZ and only the necessary minimum access granted to access the service URL. Once we granted access to be able to perform the OCSP and/or CRL checks, transactions started flowing immediately. I found this article at the time explaining the whole process. I also think a contributing factor was that only two active HTTP requests are allowed to a destination at once by default according to RFC 2616, my guess is that the CryptoAPI would adhere to this same limit, so all OCSP/CRL requests queued until the active ones timed out.

HTTP concurrent connections

Posted on by Nicki de Wet

Our application exposes a webservice interface to clients, and connects to other providers for performing transactions. Whilst doing loadtesting, I noticed that the client connecting to an upstream provider using HttpWebRequest was not opening more than 2 concurrent connections at any time, causing latency to go through the roof and tps not scaling once the number of simultaneous requests to the webservices goes over 5. Googling a bit yielded this link: http://social.msdn.microsoft.com/Forums/en-US/1f863f20-09f9-49a5-8eee-17a89b591007/asynchronous-httpwebrequest-maximum-connections-best-approach-threads-or-delegates?forum=netfxnetcom.

Googling a little bit more I found details about the connectionManagement config section. After adding a section to the application's config file it now scales as expected, with more simultaneous connections increasing the tps as expected.

Creating an eventlog source from the command line

Posted on Wednesday, October 30, 2013 by Nicki de Wet

We've all at some stage had to create an eventlog source for an ASP.Net application, as by default it does not have the privileges to create it on the fly. I found this nifty PowerShell command that does this without having to write a console app.

New-EventLog -LogName Application -Source MyApp
Source: http://stackoverflow.com/questions/446691/how-to-create-windows-eventlog-source-from-command-line

Find out which services are hosted by a running instance of svchost.exe

Posted on Wednesday, October 9, 2013 by Nicki de Wet

For some reason a svchost.exe process on one of our servers started using 23% of CPU. The process name just said svchost.exe, so what exactly was it hosting?

I found this neat command to give you the info:

tasklist /svc /fi "imagename eq svchost.exe"

Source: http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/

TargetProcess exceptions in System Log because of MSMQ errors

Posted on Friday, August 16, 2013 by Nicki de Wet

I recently started seeing some errors in the TargetProcess System log. Below is one example.

at Tp.Web.Global.ConfigureBusAndStructureMap() in c:\.jenkins\workspace\BuildPackage\Code\Main\Tp.App_Code\Global.asax.cs:line 209at NServiceBus.Unicast.UnicastBus.NServiceBus.IStartableBus.Start() in c:\Projects\TargetProcess\trunk\Code\Libs\NServiceBus\src\src\unicast\NServiceBus.Unicast\UnicastBus.cs:line 738at NServiceBus.Unicast.UnicastBus.NServiceBus.IStartableBus.Start(Action startupAction) in c:\Projects\TargetProcess\trunk\Code\Libs\NServiceBus\src\src\unicast\NServiceBus.Unicast\UnicastBus.cs:line 791at NServiceBus.Unicast.UnicastBus.InitializeSelf() in c:\Projects\TargetProcess\trunk\Code\Libs\NServiceBus\src\src\unicast\NServiceBus.Unicast\UnicastBus.cs:line 810at Tp.Integration.Messages.ServiceBus.Transport.UiPriority.MsmqUiPriorityTransport.ReceiveMessageLater(TransportMessage m) in c:\.jenkins\workspace\BuildPackage\Code\Main\Tp.Integration.Messages\ServiceBus\Transport\UiPriority\MsmqUiPriorityTransport.cs:line 310at Tp.Integration.Messages.ServiceBus.Transport.UiPriority.MsmqUiPriorityTransport.Send(TransportMessage m, String destination) in c:\.jenkins\workspace\BuildPackage\Code\Main\Tp.Integration.Messages\ServiceBus\Transport\UiPriority\MsmqUiPriorityTransport.cs:line 384at System.Messaging.MessageQueue.Send(Object obj, MessageQueueTransactionType transactionType)at System.Messaging.MessageQueue.SendInternal(Object obj, MessageQueueTransaction internalTransaction, MessageQueueTransactionType transactionType)System.Messaging.MessageQueueException (0x80004005): Insufficient resources to perform operation.GET http://localhost/targetprocess2/2013-08-14 11:14:48,103 [3] ERROR Tp.Web.Global - Failed to configure TP to work with MSMQ because of the reason.

After investigating the cause I found that there were a lot of messages in some TargetProcess queues. To see the queues open Computer Management, expand Services and Applications, expand Message Queueing and click on Private Queues. You'll see a lot of queue names starting with "tp.". In my case queues for bugzilla integration and subversion integration had lots of messages in them and they reached their quota. To purge the queue(s), expand Private Queues, expand the queue you want to purge, right-click on Queue Messages, hover over All Tasks and click Purge. Click Yes if you want to purge the queues.
After purging all the queues with lots of messages I had to recycle the worker process that hosts Target Process, and the error was not logged in the System Log anymore.

C# - How to access a generic typed property

Posted on Thursday, August 15, 2013 by Nicki de Wet

My challenge for today was to get the value of generic typed properties from a generic type. Here is the code that worked.

pendingRequest is a generic-typed instance of RequestResponseAsyncResult where the Request and Response properties are generic.

First we have to get the generic type definition:

Type requestType = pendingRequest.GetType().GetGenericTypeDefinition();
Next we get the generic type arguments:
Type[] typeArgs = requestType.GetGenericArguments();
Then we create a generic base type from our generic type:
Type genericType = typeof(RequestResponseAsyncResult<,>);
The next step is to created a generic type according to the type arguments:
Type constructed = genericType.MakeGenericType(typeArgs);
Now we are able to get the property information:
PropertyInfo pireq = pendingRequest.GetType().GetProperty("Request");
PropertyInfo piresp = pendingRequest.GetType().GetProperty("Response");
Finally we can get our properties using reflection:
object request = pireq.GetValue(pendingRequest, null);
object response = piresp.GetValue(pendingRequest, null);