Improving application Start up time: GeneratePublisherEvidence setting in Machine.config

Background : When assemblies are authenticode signed, the signed assemblies need to be verified by the certificate authority. When CA certificate is not present on the same machine the assemblies require network or internet access. If the signed assemblies are installed on machine where CA certificate is not on the same machine and does not have network/internet access the .NET thread might timeout waiting to connect. Below is one case study I have presented. There are other ways to avoid this performance issue including performing strong name signing of assemblies, placing the CA certificate on the same machine

 

How to : Use the following setting in the Machine.config in the runtime tag

 <configuration>
<runtime>
<generatePublisherEvidence enabled="false" />
</runtime>
</configuration>

 

Case study : In a recent engagement, the site home page took ~54 seconds to load on IIS reset. As usual, looking into the resource usage pattern(CPU,IO and memory) we didn’t find anything alarming. The best solution was to get a memory dump of the worker process(w3wp.exe) during this time and analyse to see what was going on. Looking at the memory dump and analysing each thread, one thread seemed worth looking into. Looking into the thread stack given below we observed that .NET assembly’s security was being checked and call was being made to verify the certificate revocation list.

00000000`03a0b550 000007fe`faf12e58 cryptnet!CryptRetrieveObjectByUrlWithTimeout+0x263

00000000`03a0b850 000007fe`faf145fa cryptnet!CryptRetrieveObjectByUrlW+0x20c

00000000`03a0ba40 000007fe`faf1b826 cryptnet!RetrieveObjectByUrlValidForSubject+0x14a

00000000`03a0bb70 000007fe`faf141cb cryptnet!RetrieveTimeValidObjectByUrl+0x2de

00000000`03a0bc60 000007fe`faf128b0 cryptnet!CTVOAgent::GetTimeValidObjectByUrl+0x2e3

00000000`03a0bdc0 000007fe`faf124dd cryptnet!CTVOAgent::GetTimeValidObject+0x7cc

00000000`03a0bf90 000007fe`faf115a4 cryptnet!FreshestCrlFromCertGetTimeValidObject+0x61

00000000`03a0c000 000007fe`faf1b6e3 cryptnet!CryptGetTimeValidObject+0xb0

00000000`03a0c080 000007fe`faf1233d cryptnet!GetTimeValidCrl+0x4bb

00000000`03a0c1c0 000007fe`faf1201e cryptnet!GetBaseCrl+0x7d

00000000`03a0c250 000007fe`faf11e24 cryptnet!MicrosoftCertDllVerifyRevocation+0x238

00000000`03a0c3a0 000007fe`fcc06143 cryptnet!CertDllVerifyRevocation+0x28

00000000`03a0c3f0 000007fe`fcc0629c crypt32!VerifyDefaultRevocation+0x398

00000000`03a0c4e0 000007fe`fcc066bd crypt32!CertVerifyRevocation+0x144

00000000`03a0c5e0 000007fe`fcc063fa crypt32!CChainPathObject::CalculateRevocationStatus+0x48d

00000000`03a0c710 000007fe`fcbeccc8 crypt32!CChainPathObject::CalculateAdditionalStatus+0x2e2

00000000`03a0c7a0 000007fe`fcbec86b crypt32!CCertChainEngine::CreateChainContextFromPathGraph+0x443

00000000`03a0c920 000007fe`fcbebf32 crypt32!CCertChainEngine::GetChainContext+0x8b

00000000`03a0c9e0 000007fe`fb9246b8 crypt32!CertGetCertificateChain+0x100

00000000`03a0ca80 000007fe`fb92445a wintrust!_WalkChain+0x2b4

00000000`03a0cb50 000007fe`fb921e47 wintrust!WintrustCertificateTrust+0xea

00000000`03a0cbc0 000007fe`fb921057 wintrust!_VerifyTrust+0x347

00000000`03a0cde0 00000642`ffaf8031 wintrust!WinVerifyTrust+0x70

00000000`03a0ce20 00000642`7f862c5f mscorsec!GetPublisher+0x139

00000000`03a0cf40 00000642`7f57710b mscorwks!PEFile::CheckSecurity+0x40df57

 

On checking with the developer again we found that the server did not have access to the internet and the assemblies were authenticode signed. Since there was no internet access .NET thread would wait to connect and ultimately timeout without doing the security check. We enabled the setting as shown above. Boom!!!! The problem was fixed and the overall home page load time on iisreset came down from ~54 seconds to ~10 seconds.

Comments