Measurement Studio for .NET Languages

cancel
Showing results for 
Search instead for 
Did you mean: 

(MS .NET, Csharp) adding component causes severe slowdown.

Hi sweeten,

I ran your example and find that I have a similiar problem (it takes my machine 16 seconds before the form is loaded) due to the time the nationalinstruments.ui.windowsforms.dll is loading. I have added a similar message to discussion forum about a graph control - see "Slow loading of nationalinstruments.ui.windowsforms (16 seconds) in C# .NET". >/B>

We have noticed that if we remove the network cable from our pc and start your application the form is loaded and displayed instantly. I was wondering if you will experience the same result?

This would imply that the NI are doing something with the network when their library loads up? Any suggestions NI?

Please let me know if you have managed to fix this yet?

Zax.
0 Kudos
Message 11 of 31
(5,434 Views)
I did some network sniffing after reading Zax's message. There is a bunch of DNS traffic trying to locate
crl.thawte.com, which finally fails because we are on an isolated network. What is going on NI?

Jim
0 Kudos
Message 12 of 31
(5,425 Views)
Hello

Thawte is a digital signature provider that is used by all of our components. We use a certificate from Thawte to codesign our assemblies, allowing you to deploy applications via the web safely with our assemblies.

Codesigning ensures that users know where the code came from (if you deploy a Measurement Studio Application via the web, you will get a dialog saying "Do you trust National Instruments" vs. "Do you trust unknown to be installed and run on your machine"). And it ensures that code has not been tampered with since publication.

crl stands for Certificate Revocation List and basically, the .NET runtime is doing a certificate lookup every time the assembly is loaded.

I saw the network traffic that you mention, but didn't get the 16 second delay that you described. I might have faster timeouts on my machine somehow.

Are you running these applications from a shared network location? Do you have admin privileges on your system? Or do you have some custom security policies applied to your system?

Let me know how your system is setup so I can reproduce it to get what you are seeing.

Thanks for the tip on the network traffic everyone.
Bilal Durrani
NI
0 Kudos
Message 13 of 31
(5,035 Views)
Hi Bilal,

We connect to the internet via a SOCKS proxy and a firewall. I don't have alot in the way of custom security settings on my personal PC, apart from bypassing the proxy for local connections.

The behaviour you describe is not remotely useful to us, as we are not planning to distribute via the web. Is there any way of disabling it? At the moment I'm quite concerned. Even if we were to get the components to work properly on our local network, how could we possibly be confident as whether or not the problem would resurface at a customer's site?

Chris
0 Kudos
Message 14 of 31
(5,020 Views)
One way to disble this is to disable crl checking. Try the following and see if this speeds things up for you.

Go to the Control Panel, select Internet Options,click the Advanced tab, and, in the Security section, uncheck the "Check for publisher's certificate revocation" option. This option is enabled by default.

Let me know what you find.
Bilal Durrani
NI
0 Kudos
Message 15 of 31
(5,003 Views)
And also let me know which version of Measurement Studio you are using, which OS and service pack. I've been using XP, SP1 with Mstudio 7.1 for my tests here.

Thanks
Bilal Durrani
NI
0 Kudos
Message 16 of 31
(4,999 Views)
If we turn off "check for publisher's certificate revocation" then the graph loads almost instantly. However asking customer's of our application to weaken the security for all applications running on their pc isn't a good solution, and it is unlikely to create confidence amongst our more technically aware clients.

You claim that the .NET runtime performs the certificate checking. Is this checking performed automatically by the runtime for any component containing a certificate, or is it explicitly invoked from your component?

I am using Windows 2000 SP4, 2.4GHz pentium, 1GB RAM, 739MB free hard drive space.

Chris

P.S. For anyone else reading this thread, more info on certificates can be found at:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/certificates_and...
0 Kudos
Message 17 of 31
(4,990 Views)
Our network guy has just confirmed that the reply from Thawte is being blocked by our firewall. That explains why the certificate request is timing out.

As far as I can tell that leaves us with three choices:

1) Tell all our customers to compromise the security of their pcs by disabling checking of certificate revocation
2) Tell all our customers to compromise the security of their network by opening up an additional port (our network people are refusing to do this - apparently this port has been used by viruses in the past)
3) Work with you to find a better solution.

I prefer option 3!

I find it a little odd that whereas the .NET runtime will quite happily load up a component without any certificate attached from the local hard drive (as well as native code and other such security nasties), if a certificate is present then it must be checked before the code can be trusted. Is this standard .NET behaviour?

Chris
0 Kudos
Message 18 of 31
(4,990 Views)
I agree with you on option 3. I dont think it is reasonable for users to expose a security hole on their intranets just because of a single component. As far as I can tell, this does seem to be default component behavior for the .NET framework. The disabling crl checking from IE was a way to test whether this was the problem on your end.

The reason why I was not seeing the delay was that I was totally disconnected from the network, so I was never connecting to thawte in the first place, hence the faster timeouts. In your case, you do send packets to thawte, so the frameworks waits longer to recieve a reply. But it never does. So I was finally able to reproduce the problem you were seeing by using a software firewall.

According to what I saw, the problem comes down to making sure you have 2 certificates from thawte showing up under the "trusted root certificate authority" tab in the certificate manager. Usually this gets downloaded for you automatically, but if you have certain ports blocked, those certificates are never addded.

So it seems that the following is happening:

1. The .NET app is launched and the framework checks the digital signature and sees that its signed by thawte
2. It needs to verify that the signiture provider is valid and checks to see whether thawte is one of the trusted root certificate authority (CA)
3. If the certificate is not on the system, then it tries to check the CA online.
4. If it can't connect, it launches the app anyway, only after a very very long (non-configurable?) delay.

I'm still not sure why exactly the framework is trying to verify the components signature at runtime, even though its on a local machine with full permissions. It's something we're investigating.

Here are the certificates that I traced it down to. You can see if you already have these on your system. The file forward is PKS #7. These are titled "Thawte Premium Server CA" and "Thawte Timestamping CA". You can see the certificates you have on your system by going to IE >> Tools >> Internet Options >> Content and click on the certificates button. Go to the "Trusted Root Certificate Authority" tab and see if you have any certificates by that name. Other you can import these certificates by importing the attached file. You can remove the .txt extention at the end of the attachment. I cant seem to post files with a .p7b extension.

Is it ok if I contact you directly? It might help speed up the investigation process. Then I could post the investigation results on the forum for everyone to view.

Try importing these certificates (if you dont already have them) and let me know what you find. And I guess you should re-enable the option to check crl's in IE.

Let me know what you find.
Hope this helps. Thanks for helping us investigate this.
Bilal Durrani
NI
0 Kudos
Message 19 of 31
(4,958 Views)
Hi Bilal,

Thanks for your help with this.

I've just checked my internet settings and both of the certificates that you mentioned are already installed on my pc. Zax has tried re-importing them, but it didn't help.

You are welcome to contact me directly about this issue.

regards,

Chris Williamson
0 Kudos
Message 20 of 31
(4,941 Views)