officecfg/registry/schema/org/openoffice/Office/Security.xcs | 11 +++++ xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 20 +++++++++- 2 files changed, 30 insertions(+), 1 deletion(-)
New commits: commit 514299d0ef6d9a34a4379d5182ef90d57d8cc770 Author: Tibor Nagy <[email protected]> AuthorDate: Sun Jan 18 00:01:56 2026 +0100 Commit: Nagy Tibor <[email protected]> CommitDate: Tue Jan 20 11:44:13 2026 +0100 xmlsecurity: avoid long blocking delays caused by CRL timeouts Windows performs certificate revocation checks (CRL) during signature verification. When the revocation endpoints listed in a certificate are unreachable or respond slowly, the revocation checking logic issues blocking network requests and waits for connection timeouts, which can introduce multi‑second delays for each certificate in the chain. Add a configuration option to disable CRL checking. The signature is still validated against the certificate itself, preserving security while improving performance in restricted environments. Change-Id: I83e76556b8bd37d6b0b2fda4bb676ebd10580b38 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/197516 Reviewed-by: Nagy Tibor <[email protected]> Tested-by: Jenkins diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs index de72566c0dfa..434e080a9072 100644 --- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs +++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs @@ -32,6 +32,17 @@ </info> </prop> </group> + <group oor:name="Certificate"> + <info> + <desc>Specifies security settings related to certificates.</desc> + </info> + <prop oor:name="DisableCertificateRevocationCheck" oor:type="xs:boolean" oor:nillable="false"> + <info> + <desc>Disable certificate revocation checks.</desc> + </info> + <value>false</value> + </prop> + </group> <group oor:name="HiddenContent"> <info> <desc>Specifies whether to remove the hidden content when sending the document attached to an email</desc> diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index 8f5b46ad09ce..e8c3c8cac57f 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -51,6 +51,7 @@ #include <osl/process.h> #include <o3tl/char16_t2wchar_t.hxx> #include <svl/cryptosign.hxx> +#include <officecfg/Office/Security.hxx> using namespace ::com::sun::star; using namespace ::com::sun::star::lang ; @@ -862,6 +863,23 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate( } + // Optionally disable certificate revocation checking. + // Revocation checking (CRL) can cause significant delays during signature verification. + // They typically occur when the revocation endpoints listed in the certificate are + // unreachable, misconfigured, or slow to respond. + // In such cases, blocking network calls wait for TCP connection attempts to time out, + // which may take several seconds per certificate in the chain. + // Disabling revocation checking avoids these network timeouts and allows verification + // to complete without waiting for external revocation services. + DWORD revocationFlag = 0; + bool bDisableCRLCheck = officecfg::Office::Security::Certificate::DisableCertificateRevocationCheck::get(); + if (!bDisableCRLCheck) + { + revocationFlag = + CERT_CHAIN_REVOCATION_CHECK_CHAIN | + CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; + } + //CertGetCertificateChain searches by default in MY, CA, ROOT and TRUST //We do not check revocation of the root. In most cases there are none. //Then we would get CERT_TRUST_REVOCATION_STATUS_UNKNOWN @@ -872,7 +890,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate( nullptr , //use current system time hCollectionStore, &chainPara , - CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, + revocationFlag, nullptr , &pChainContext);
