Troubleshooting delays when accessing VisualSVN Server over HTTPS

Applies to: Subversion 1.12 and older client versions

Symptoms

When trying to connect to VisualSVN Server over HTTPS using the Subversion client, a user may notice an initial response delay that could look like a slow performance issue. The delay is usually about 10 to 30 seconds, but in some cases, it may exceed 30 seconds.

Note
The problem described in this article only relates to Subversion 1.12 and older clients. The problem does not affect up-to-date Subversion clients.

Cause

When Subversion clients try to access the repository over HTTPS, Windows tries to update the Certificate Trust List (CTL) from the Windows Update site (http://ctldl.windowsupdate.com/).

If the client computer is not connected to the Internet or if a firewall blocks the Windows Update site, the operation silently fails with a timeout. That is why the delay is occurring on the client computer when a user attempts to access VisualSVN Server repositories.

You can check the CAPI2 Log on the client computer and see whether it’s the issue with CTL. Follow these steps to view the log:

  1. Open the Event Viewer.
  2. In the console tree, click Applications and Services Log, then click Microsoft.
  3. Right-click the repository and click Properties.
  4. Click Windows.
  5. Click CAPI2.

In the CAPI2 Log you can see an error message that contains the following fields:

Note
By default CAPI2 log is disabled in Event Viewer. You should enable it manually. See the instruction on how to enable CAPI2 event logging in Event Viewer.
Field Value
Log Name Microsoft-Windows-CAPI2/Operational
Source CAPI2
Event ID 20
Level Error
Task Category Retrieve Third-Party Root Certificate from Network
Keywords Automatic Root Update, Retrieval, Path Discovery

In general, the problem is not limited to VisualSVN Server and Subversion clients. It affects a wide range of software and system services, and this article relates to the particular issue that may occur when the client computer is operating in a network without access to the Certificate Trust List (CTL) from the Windows Update site (http://ctldl.windowsupdate.com/). Make sure to read the TechNet blog post that covers the topic in more detail: Support Tip: Why can’t I deploy this Digital Certificate Security Advisory with WSUS or Configuration Manager?.

Resolution

To solve the issue with the lack of access to http://ctldl.windowsupdate.com/, administrators may use two different methods. Choose one of the methods that are most suitable to your environment.

  • Method #1:

    Enable computers to use the CTL update feature without accessing the Windows Update site. The instruction is provided in the Microsoft Support article An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows.

  • Method #2:

    Disable network retrieval of the certificate updates on the client computer by modifying Group Policy in the Local Group Policy Editor. In order to do this, follow these steps:

    1. Start the Local Group Policy Editor by entering gpedit in command prompt.
    2. Double-click Windows Settings under the Computer Configuration node.
    3. Double-click Security Settings, and then double-click Public Key Policies.
    4. In the details pane, double-click Certificate Path Validation Settings.
    5. Click the Network Retrieval tab, select Define these policy settings, and then clear the Automatically update certificates in the Microsoft Root Certificate Program (recommended) check box.
    6. Click OK.
    Note
    You should be an Administrator on your computer to edit local group policies.

See also

KB134: Configuring SSL Certificates for VisualSVN Server
KB195: Understanding TLS/SSL compatibility levels in VisualSVN Server
Last Modified: