There is a learning curve to using the openssl tools, although it's worthwhile if you wrestle with SSL often. s_client does attempt to validate certs unless told not to. To wire up validation you'll need to save the other certs in the chain as per here <http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/> and <http://monkey.org/openbsd/archive/tech/0308/msg00125.html>.
I'll try to do some checking to see if the Windows CAPI can be told to generate a non-overwhelming amount of cert validation info. In perspective, Michael Smith's suggestion to start with Fiddler / Netmon / Wireshark is probably a more sensible place to begin if PKCS, PEM and DER are unfamiliar acronyms. --Steve On Mon, Oct 31, 2011 at 12:42 PM, Mayo, Bill <[email protected]> wrote: > Thanks for the response. I was not familiar with OpenSSL, but I have gotten > that installed and am trying to do as you suggest. I was able to connect to > the server using "openssl s_client -connect server.name:443" and see that it > connected very quickly. Beyond that, I am having trouble figuring out the > proper command(s) to do the validation on/off as you said. I see a "verify" > option, but that looks like something that has to be run against an exported > certificate, correct? > > Bill > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Monday, October 31, 2011 11:42 AM > To: NT System Admin Issues > Subject: Re: Speed up internal SSL? > > Five seconds is far too long for a (correctly configured) SSL negotiation and > you are probably on-track to suspect slow processing of the CRL or OCSP bits > of the certificate. > > I'd suggest testing it out with "openssl s_client", with certificate > validation on and off. Also it would be helpful if you posted the > X.509 cert details. > > --Steve > > On Mon, Oct 31, 2011 at 11:25 AM, Mayo, Bill <[email protected]> wrote: >> I am not much of an IIS guy (know enough to get by), and I have a >> request from one of our developers to investigate why SSL is slow. >> What I can confirm is that the initial connection to SSL takes several >> seconds (5 or more), but after that it is fine. My research on the >> topic suggests that it is normal for the initial connection to be >> relatively slow, but it seems like it shouldn't take as long as it >> does. The one thing I ran across that I am not clear whether may be >> at issue is the certificate revocation checks. The connections in >> question are certificates that are for internal web access and are >> signed by our internal certification authority (domain controller). >> Is there something I can do in regards to certificate revocation checks to >> speed the process up? Any other suggestions? >> >> >> >> ~~~~~~~~~~ >> >> Bill Mayo ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
