Slow response times due to SSL Cert Revocation check

I recently ran into an issue where connections to a test website were taking an incredibly long time to connect, but would eventually display the page.  It was odd that it would wait close to 3 minutes, but not timeout.

After looking through all of the systems within our realm for a smoking gun, we had to draw up some diagrams as to what happens to the request from the point that the request leaves the user’s browsers, until the response is returned.

The requests goes from browser… F5… Firewall… wait, what?  Firewall?!?  Oh Eff!  We don’t have a firewall for this exercise!  At this point it became obvious that it had to do with something between the SSL Certs and the Firewall.

We got one of the Windows server guys on the horn, and he was able to pretty quickly narrow it down to being a SSL check of the Revocation Tables (RT) that is performed via the Firewall in order to see if an SSL Cert has been revoked.  The oddest part about this was that since the Firewall was not found, the default behavior was to let the request through.  I’m not on the SSL up-and-up, so maybe there is a good reason for this logic, but on the surface, it seems very suspect.

2014-04-15_SSL_Cert_revocation

Our Windows guy was able to provide us with an IE browser setting that prevented the Revocation Table check from occurring, and once set, everyone had good response times from the site.

The way to disable RT checks in IE: Tools > Internet Options > Advanced > Security section > uncheck “Check for Publisher’s cert revocation” & “Check for server cert revocation”