[rabbitmq-discuss] Request Handshake Timeout Increase
Matthias Radestock
matthias at rabbitmq.com
Tue May 8 19:07:59 BST 2012
James,
On 08/05/12 15:42, james.poole at rsa.com wrote:
> It turns out that Microsoft has a default policy that tries to connect
> to Windows Update on the internet to validate Certificate Authorities.
> If the client machine is not connected to the internet (our likely
> customer deployment scenario and our development environment), then this
> can cause a 15 second delay when validating certificates. Since the
> RabbitMQ handshake timeout is 10 seconds, then this fails and closes the
> connection. This was only seen from the .NET client, and not the Java
> client.
>
> I verified that disabling the local machine policy (directions here
> http://technet.microsoft.com/en-us/library/cc749331%28v=ws.10%29.aspx)
> allowed the SSL connection to immediately succeed.
From the description of that policy it sounds like disabling would
cause connections to fail:
<quote>
If the user is presented with a certificate issued by a root
certification authority that is not directly trusted, and the Update
Root Certificates feature is turned off through Group Policy, the user
can be prevented from completing the action that required authentication.
</quote>
Though this may depend on the policy settings of the app. Have you
looked at http://www.rabbitmq.com/ssl.html#trust-dotNET?
Also, the policy appears to only come into play when hitherto unknown
root certificates are encountered. So it should be possible to avoid
that situation by getting a server certificate with a root CA that
Windows trusts by default.
Matthias.
More information about the rabbitmq-discuss
mailing list