[rabbitmq-discuss] Request Handshake Timeout Increase

Matthias Radestock matthias at rabbitmq.com
Tue May 8 19:07:59 BST 2012


James,

On 08/05/12 15:42, james.poole at rsa.com wrote:
> It turns out that Microsoft has a default policy that tries to connect
> to Windows Update on the internet to validate Certificate Authorities.
> If the client machine is not connected to the internet (our likely
> customer deployment scenario and our development environment), then this
> can cause a 15 second delay when validating certificates. Since the
> RabbitMQ handshake timeout is 10 seconds, then this fails and closes the
> connection. This was only seen from the .NET client, and not the Java
> client.
>
> I verified that disabling the local machine policy (directions here
> http://technet.microsoft.com/en-us/library/cc749331%28v=ws.10%29.aspx)
> allowed the SSL connection to immediately succeed.

 From the description of that policy it sounds like disabling would 
cause connections to fail:
<quote>
If the user is presented with a certificate issued by a root 
certification authority that is not directly trusted, and the Update 
Root Certificates feature is turned off through Group Policy, the user 
can be prevented from completing the action that required authentication.
</quote>

Though this may depend on the policy settings of the app. Have you 
looked at http://www.rabbitmq.com/ssl.html#trust-dotNET?

Also, the policy appears to only come into play when hitherto unknown 
root certificates are encountered. So it should be possible to avoid 
that situation by getting a server certificate with a root CA that 
Windows trusts by default.


Matthias.


More information about the rabbitmq-discuss mailing list