Jump to content

SSL filtering - cert checking order


Recommended Posts


We have a test local CA used for internal resouces (both in local network and datacenter network (real IPs) connected to our local network via VPN). Been testing several websites (both in LAN and in datacenter) with the certificate from local CA while it's added to Trusted Root CAs on local machine:

1) Windows client with latest EES installed and SSL filtering enabled in automatic mode - takes really long time to open the webpage first time. Then it works just fine for some time (like couple of hours),  after that - it's slow like hell again and goes to new cycle.

2) Windows client without EES installed - everything works just fine, no slow downs.

This type of behaviour looks like EES tries to verify the certificate via CAs in outside world and only after all attempts fail it looks in local machine Trusted Root CAs. And it "forgets" all that in couple of hours...

What's the order for checking Trusted Roots in SSL filtering functionality? What can be done to get rid of those delays?

Thanks in advance!


Link to comment
Share on other sites

  • ESET Staff

We are already investigating an issue with the same symptoms, so it might be the same issue in fact.

Does the certificate used on the server have CRL Distribution Point X509 extension?
If so, is the URL in there accessible on the affected local machine?

The certificate is verified using the functionality OS provides. As a part of that process, the URL mentioned above is accessed.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...