Applies to: Subversion 1.12 and older client versions
Symptoms
When trying to connect to VisualSVN Server over HTTPS using the Subversion client, a user may notice an initial response delay that could look like a slow performance issue. The delay is usually about 10 to 30 seconds, but in some cases, it may exceed 30 seconds.
Cause
When Subversion clients try to access the repository over HTTPS, Windows tries to update the Certificate Trust List (CTL) from the Windows Update site (http://ctldl.windowsupdate.com/).
If the client computer is not connected to the Internet or if a firewall blocks the Windows Update site, the operation silently fails with a timeout. That is why the delay is occurring on the client computer when a user attempts to access VisualSVN Server repositories.
You can check the CAPI2 Log on the client computer and see whether it’s the issue with CTL. Follow these steps to view the log:
- Open the Event Viewer.
- In the console tree, click Applications and Services Log, then click Microsoft.
- Right-click the repository and click Properties.
- Click Windows.
- Click CAPI2.
In the CAPI2 Log you can see an error message that contains the following fields:
Field | Value |
Log Name | Microsoft-Windows-CAPI2/Operational |
Source | CAPI2 |
Event ID | 20 |
Level | Error |
Task Category | Retrieve Third-Party Root Certificate from Network |
Keywords | Automatic Root Update, Retrieval, Path Discovery |
In general, the problem is not limited to VisualSVN Server and Subversion clients. It affects a wide range of software and system services, and this article relates to the particular issue that may occur when the client computer is operating in a network without access to the Certificate Trust List (CTL) from the Windows Update site (http://ctldl.windowsupdate.com/). Make sure to read the TechNet blog post that covers the topic in more detail: Support Tip: Why can’t I deploy this Digital Certificate Security Advisory with WSUS or Configuration Manager?.
Resolution
To solve the issue with the lack of access to http://ctldl.windowsupdate.com/, administrators may use two different methods. Choose one of the methods that are most suitable to your environment.
- Method #1:
Enable computers to use the CTL update feature without accessing the Windows Update site. The instruction is provided in the Microsoft Support article An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows.
- Method #2:
Disable network retrieval of the certificate updates on the client computer by modifying Group Policy in the Local Group Policy Editor. In order to do this, follow these steps:
- Start the Local Group Policy Editor by entering gpedit in command prompt.
- Double-click Windows Settings under the Computer Configuration node.
- Double-click Security Settings, and then double-click Public Key Policies.
- In the details pane, double-click Certificate Path Validation Settings.
- Click the Network Retrieval tab, select Define these policy settings, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
- Click OK.
NoteYou should be an Administrator on your computer to edit local group policies.
See also
KB134: Configuring SSL Certificates for VisualSVN ServerKB195: Understanding TLS/SSL compatibility levels in VisualSVN Server