Recovering from SSL/TLS failure during GPO update

  • Thread starter Thread starter Cube00
  • Start date Start date
C

Cube00

Guest
My desktop application is failing to negotiate TLS during the window when root certificates are updated by group policy.

The error is the one in the article: "A certificate chain was processed, but terminated in a root certificate which was not trusted by the trust provider"

I thought I could get around this by catching the exception and trying again, however what I've noticed is it seems once the application fails to get this certificate that state is remembered for the life of the application.

As an example, if I close and reopen the application repeatedly during the group policy update I can usually get back in within about 40 seconds. However if I keep trying within the code I still can't get after 10 minutes.

I'm trying to get a security token using WSHttpBinding > WSTrustChannelFactory > WSTrustChannel in .NET and I've tried closing the channel and also recreating the entire object chain to the binding so I suspect caching is somewhere in System.Net which is used according to the trace logs.

Any ideas on how I can force a re-lookup of the SSL/TLS root certificates would be appreciated because I'd rather not need to present users with a "Please close the application and try again in a few minutes" type message.

Continue reading...
 
Back
Top