Very slow certificate verification on network-isolated EC2 instance - certificate revocation check?
I am setting up an environment where users use Windows EC2 instances that are configured without open-ended internet access, as described here: https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints
I want to use WinSCP on those instances to enable users to easily transfer files to and from S3 (via VPC endpoint) through a graphical interface, using the instance profile temporary credentials; without internet access there's no AWS Console. I have not used WinSCP before.
When attempting to use WinSCP, connection and other operations can take a very long time, 30 seconds or more. I also frequently get this error dialog when attempting to connect:
Upon retry, it sometimes succeeds.
When I look at the debug log, I see the pause consistently happens during certificate validation, sometimes taking so long that the server closes the connection:
(See attachment for more, including an eventually successful connection)
I suspect that it has something to do with certificate revocation list checking attempting to happen and timing out, but don't know that for certain.
I have searched the internet and these forums for more information, including any instructions on how to disable those checks, fruitlessly. This thread is the closest but the -certificate option is not applicable to S3.
I have also tried disabling it at the Windows level, under Control Panel --> Internet Options --> Advanced, as described in this post.
Is there any way that I can avoid these delays?
Version: WinSCP-6.5.6
OS: Windows Server 2022
GUI: Explorer interface
I want to use WinSCP on those instances to enable users to easily transfer files to and from S3 (via VPC endpoint) through a graphical interface, using the instance profile temporary credentials; without internet access there's no AWS Console. I have not used WinSCP before.
When attempting to use WinSCP, connection and other operations can take a very long time, 30 seconds or more. I also frequently get this error dialog when attempting to connect:
Could not read status line: Connection was closed by server
Connection failed
Upon retry, it sometimes succeeds.
When I look at the debug log, I see the pause consistently happens during certificate validation, sometimes taking so long that the server closes the connection:
. 2026-05-29 03:16:16.780 Verifying certificate for "s3.amazonaws.com" with fingerprint 7e:bf:42:63:5d:c3:2b:cb:97:f6:0e:38:3e:e1:f8:63:39:aa:ce:a2:39:e1:56:b9:8d:74:1c:79:12:67:14:36 and 08 failures
. 2026-05-29 03:17:01.824 Certificate for "s3.amazonaws.com" matches cached fingerprint and failures
(See attachment for more, including an eventually successful connection)
I suspect that it has something to do with certificate revocation list checking attempting to happen and timing out, but don't know that for certain.
I have searched the internet and these forums for more information, including any instructions on how to disable those checks, fruitlessly. This thread is the closest but the -certificate option is not applicable to S3.
I have also tried disabling it at the Windows level, under Control Panel --> Internet Options --> Advanced, as described in this post.
Is there any way that I can avoid these delays?
Version: WinSCP-6.5.6
OS: Windows Server 2022
GUI: Explorer interface