officecfg/registry/schema/org/openoffice/Office/Security.xcs | 11 +++++ xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx | 20 +++++++++- 2 files changed, 30 insertions(+), 1 deletion(-)
New commits: commit daac52cc3aef6af335c3ca23ae438a0d6ee02c63 Author: Tibor Nagy <[email protected]> AuthorDate: Sun Jan 18 00:01:56 2026 +0100 Commit: Nagy Tibor <[email protected]> CommitDate: Tue Jan 20 13:59:47 2026 +0100 xmlsecurity: avoid long blocking delays caused by CRL timeouts Windows performs certificate revocation checks (CRL) during signature verification. When the revocation endpoints listed in a certificate are unreachable or respond slowly, the revocation checking logic issues blocking network requests and waits for connection timeouts, which can introduce multi‑second delays for each certificate in the chain. Add a configuration option to disable CRL checking. The signature is still validated against the certificate itself, preserving security while improving performance in restricted environments. Change-Id: I83e76556b8bd37d6b0b2fda4bb676ebd10580b38 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/197516 Reviewed-by: Nagy Tibor <[email protected]> Tested-by: Jenkins (cherry picked from commit 514299d0ef6d9a34a4379d5182ef90d57d8cc770) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/197654 Tested-by: allotropia jenkins <[email protected]> diff --git a/officecfg/registry/schema/org/openoffice/Office/Security.xcs b/officecfg/registry/schema/org/openoffice/Office/Security.xcs index 50134e8f33b3..cab184c03689 100644 --- a/officecfg/registry/schema/org/openoffice/Office/Security.xcs +++ b/officecfg/registry/schema/org/openoffice/Office/Security.xcs @@ -49,6 +49,17 @@ </info> </prop> </group> + <group oor:name="Certificate"> + <info> + <desc>Specifies security settings related to certificates.</desc> + </info> + <prop oor:name="DisableCertificateRevocationCheck" oor:type="xs:boolean" oor:nillable="false"> + <info> + <desc>Disable certificate revocation checks.</desc> + </info> + <value>false</value> + </prop> + </group> <group oor:name="HiddenContent"> <info> <desc>Specifies whether to remove the hidden content when sending the document attached to an email</desc> diff --git a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx index 554802cdcf08..a8db6abe1aaa 100644 --- a/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx +++ b/xmlsecurity/source/xmlsec/mscrypt/securityenvironment_mscryptimpl.cxx @@ -47,6 +47,7 @@ #include <osl/process.h> #include <o3tl/char16_t2wchar_t.hxx> #include <svl/cryptosign.hxx> +#include <officecfg/Office/Security.hxx> using namespace ::com::sun::star; using namespace ::com::sun::star::lang ; @@ -876,6 +877,23 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate( } + // Optionally disable certificate revocation checking. + // Revocation checking (CRL) can cause significant delays during signature verification. + // They typically occur when the revocation endpoints listed in the certificate are + // unreachable, misconfigured, or slow to respond. + // In such cases, blocking network calls wait for TCP connection attempts to time out, + // which may take several seconds per certificate in the chain. + // Disabling revocation checking avoids these network timeouts and allows verification + // to complete without waiting for external revocation services. + DWORD revocationFlag = 0; + bool bDisableCRLCheck = officecfg::Office::Security::Certificate::DisableCertificateRevocationCheck::get(); + if (!bDisableCRLCheck) + { + revocationFlag = + CERT_CHAIN_REVOCATION_CHECK_CHAIN | + CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; + } + //CertGetCertificateChain searches by default in MY, CA, ROOT and TRUST //We do not check revocation of the root. In most cases there are none. //Then we would get CERT_TRUST_REVOCATION_STATUS_UNKNOWN @@ -886,7 +904,7 @@ sal_Int32 SecurityEnvironment_MSCryptImpl::verifyCertificate( nullptr , //use current system time hCollectionStore, &chainPara , - CERT_CHAIN_REVOCATION_CHECK_CHAIN | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, + revocationFlag, nullptr , &pChainContext);
