This project has moved. For the latest updates, please go here.

OwinHttpRequestContext.ClientCertificate stuck for long time

Apr 22, 2015 at 5:56 AM
Edited Apr 22, 2015 at 5:58 AM
We're building a https service and we're using client certificate to authenticate clients. Usually the service call completes within 1-2 seconds, but We notice that some times, the call may take up to 45+ seconds to complete. And by logging, we can see that the execution of the method "OwinHttpRequestContext.ClientCertificate" was causing the issue, it takes around 45 seconds to completes. This doesn't happen for every call, but if it happens, it's always around 45 seconds.

I feel like there is some concurrency issue with this method as the environment Dictionary object in the OwinContext may be shared by multiple threads. But I don't know how. Any one seeing similar issue?
Coordinator
Apr 22, 2015 at 1:19 PM
Firstly, none of the request data-structures are designed to be accessed concurrently from multiple threads. If you're doing that you need to supply your own locking. However, that's probably unrelated to your issue.

You're using this with HttpListener, correct? The client certificate is not available by default on the initial request, accessing the ClientCertificate property causes the SSL connection to be dynamically re-negotiated to request a cert from the client. On slow connections this may take some time. If your site always requires a client certificate you can reconfigure HttpListener to pre-negotiate the cert. You do this with netsh.exe, under http, add sslcert, clientcertnegotiation=enabled.
Apr 22, 2015 at 10:26 PM
Thanks very much for the information.

Is there a way to configure the clientcertnegotiation programmatically? Using netsh.exe sounds like a host level change.

By the way, where does the "re-negotiation" happen ? is it inside Owin or in TCP protocol?
Coordinator
Apr 22, 2015 at 10:31 PM
How did you enable SSL in the first place? You had to register an IP and port with a server cert. clientcertnegotiation is just an option on that configuration. There's no other way to enable it.

The re-negotiation takes place at the SSL protocol layer (TCP \ SSL \ HTTP \ OWIN)