How to speed up SSL handshake in isolated environments

Opening an HTTPS URL in the environment that is not connected to the internet may take time. Fortunately, there is a way to speed up this process on the client side. It appears that Windows tries to retrieve fresh CRL (certificate revocation list) from own and third party servers. Obviously, this attempt times out when the client is not connected to the internet. There is no way to disable CRL retrieval completely, but it is possible to reduce retrieval timeout to the minimum allowed. The system will still attempt to contact CRL servers, but it will take less time to go through the whole list of servers.

In addition to SSL handshake, the settings above will speed up any process that involves certificate validation – for example, validation of code signing certificates.

So:

  1. Open Local Group Policy Editor (for example, search for “Edit Group Policy” in the Start Menu)
  2. Go down the tree from “Computer Configuration” => “Windows Settings” => “Security Settings” => “Public Key Policies”
  3. On the right side, double-click on “Certificate Path Validation Settings”
  4. Go to “Network Retrieval” tab
  5. Select “Define these policy settings” checkbox
  6. Change both timeout values under “Default retrieval timeout settings” to 1 second
  7. Click “OK”

For detailed instructions for clients that are part of Active Directory Domain, visit this TechNet topic (although it speaks about increasing timeout and decreasing it).

Retrieval Timeout Settings

The instructions above apply to Windows clients, but the same technique may be applicable for the other operating systems.

One thought on “How to speed up SSL handshake in isolated environments

Leave a Reply