1

When I try to do any TortoiseSVN command even show log etc, it take a very LONG time for the pop-up to accept ssl certificate to show up. I can make it work quite nicely/fast if I simply go into Internet Explorer connect options and enable the PROXY settings there. But I don't want to. I want to let only TortoiseSVN use the proxy not all windows apps. TortoiseSVN is already configured in Settings/Network for the correct proxy etc and I even clicked the edit button and edited the Subversion text files as well.

Any idea why TortoiseSVN is so slow unless I also add the proxy settings into Internet Explorer (even though TortoiseSVN has them) and how to fix that?

htfree
  • 331
  • 1
  • 15
  • Show the URL you are trying to access and test this with svn.exe command-line client. – bahrep Jul 20 '16 at 22:37
  • using svn.exe from commandline has the same exact problem. It is very SLOW if I do not include proxy inside Internet Explorer settings, even though it is in the appdata subversion file, can't post URL to server – htfree Jul 20 '16 at 23:26
  • Is it HTTPS or plain HTTP? What exactly do you mean by "slow"? Is there a delay or slow data trasfer? Are you on disconnected network? Do you have access to http://ctldl.windowsupdate.com/? – bahrep Jul 21 '16 at 08:59
  • https and it is slow giving the popup if to accept certificate or not. But it gets to that point FAST if I put proxy settings inside Internet Explorer options. So seems that svn/tortoisesvn doesn't switch to using "proxy" right away unless proxy is set inside internet explorer, otherwise I think it "tries" first without proxy until gives up and then tries proxy? (and ctldl.windowsupdate.com is not allowed through the proxy, its blocked) – htfree Jul 21 '16 at 10:18

1 Answers1

3

Such problem should indicate that you are on disconnected network or don't have access to the Windows Update site (http://ctldl.windowsupdate.com/). Windows tries to update its Certificate Trust List (CTL) from the Windows Update site and fails. That's why there is a delay and it seems that configuring system-wide proxy allows Windows to reach the Windows Update site.

Contact your admin and read https://blogs.technet.microsoft.com/configurationmgr/2015/05/19/support-tip-why-cant-i-deploy-this-digital-certificate-security-advisory-with-wsus-or-configuration-manager/

Check this page to learn how to disable CTL's network retrieval:

If you cannot avoid installing this update on disconnected systems, you can disable the network retrieval of the trusted and untrusted CTLs. To do this, you disable automatic root updates by using Group Policy settings. To disable automatic root updates by using policy settings, follow these steps:

  1. Create a Group Policy or change an existing Group Policy in the Local Group Policy Editor.
  2. In the Local Group Policy Editor, double-click Policies under the Computer Configuration node.
  3. Double-click Windows Settings, double-click Security Settings, and then double-click Public Key Policies.
  4. In the details pane, double-click Certificate Path Validation Settings.
  5. Click the Network Retrieval tab, select Define these policy settings, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
  6. Click OK, and then close the Local Group Policy Editor.

After you make this change, automatic root updates are disabled on those systems to which the policy is applied. We recommend that the policy be applied only to those systems that do not have Internet access or that are prevented from accessing Windows Update because of firewall rules.

bahrep
  • 29,961
  • 12
  • 103
  • 150
  • Well not sure this explains it because I can repeat this with the same exact https url a million times in a row, I'll do "fast" normal working svn operations while having proxy set in "internet explorer" connection options and then after that when I disable it from there and leave it ONLY inside tortoiseSVN network proxy options and subversion file it is then very SLOW. I don't want to my PC to try to talk to some Microsoft webserver every time I try to connect to an https url. So how do I solve this "without" allowing access to ctldl.windowsupdate.com if somehow that is indeed the problem? – htfree Jul 21 '16 at 10:23
  • Oh and I just checked and confirmed, the proxy does not let ctldl.windowsupdate.com through so why if that was the problem shouldn't it be "Slow" with both methods? since regardless if I set the proxy inside "Internet Explorer" or not, the Microsoft site is still blocked. I use the same exact proxy and settings in tortoisesvn network config and subversion file as I do when I put the info inside Internet Explorer options – htfree Jul 21 '16 at 10:29
  • thanks I see your update, its almost 4am so ill have to look at it tomorrow – htfree Jul 21 '16 at 10:32
  • @htfree I don't know for sure. However, the proxy may be causing the CTL updater not to wait until the timeout by sending another HTTP response. – bahrep Jul 21 '16 at 10:32
  • Awesome, you nailed it! I did what you said and now its working fine/fast both methods so I can remove proxy settings from internet explorer and let only tortoise/svn use it etc which is great, thanks! Glad I posted this on here and not on serverfault, that place is terrible. Thanks again! – htfree Jul 21 '16 at 19:39