@mkfmnn: Thanks for sharing your solution.
- martin
Post a reply
Before posting, please read how to report bug or request support effectively.
Bug reports without an attached log file are usually useless.
Topic review
- Guest
Idk, I find AI is wrong to the point I only use it to know what it's not. It's good you were able to get one thing solved from that but, at the same time, those hangs should ultimately be from something else as it shouldn't be happening – it's not worthwhile to have something that often hangs. To me, the AI is incorrect, but certainly is a way.
Should really be something else going on imo. Ideally, WinSCP or Windows cert store would find a way to avoid the slowdowns. It could be a bug in something. Hard to say. :)
Should really be something else going on imo. Ideally, WinSCP or Windows cert store would find a way to avoid the slowdowns. It could be a bug in something. Hard to say. :)
- mkfmnn
@Guest: After troubleshooting for a while with LLM assistance here's what I've figured out so far.
During the hangs, the instance is trying to connect to:
Setting these registry keys has eliminated the hangs for me:
I am now getting a certificate warning for
During the hangs, the instance is trying to connect to:
ctldl.windowsupdate.com, to refresh root certificates and/or check certificate transparency logs?crt.r2m04.amazontrust.comto download the intermediate certificate
Setting these registry keys has eliminated the hangs for me:
:: Stop ctldl.windowsupdate.com (Automatic Root Update + disallowed CTL)
reg add "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /v DisableRootAutoUpdate /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot" /v EnableDisallowedCertAutoUpdate /t REG_DWORD /d 0 /f
:: Fail any remaining AIA/CRL/OCSP fetch fast instead of hanging (defaults are 15s / 20s)
reg add "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" /v ChainUrlRetrievalTimeoutMilliseconds /t REG_DWORD /d 500 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config" /v ChainRevAccumulativeUrlRetrievalTimeoutMilliseconds /t REG_DWORD /d 1000 /f
I am now getting a certificate warning for
s3.amazonaws.com on a fresh instance which I had forgotten about when starting this thread, which I'm trying to troubleshoot now. The EC2 instance does have the Amazon Root certificates in its store by default, but not the intermediate. Claude thinks: "Your AIA call to crt.r2m04.amazontrust.com means WinSCP's Windows-store verification path isn't using the handshake-supplied intermediate — it's handing CryptoAPI only the leaf, so CryptoAPI goes looking for the issuer." I might be able to preload the intermediate CAs onto the instance as a workaround.
- Guest
I will state first, see if Martin comes up with anything.
I could be a bit off, as using GitHub IDE is not the greatest, but it looks like WinSCP is using Windows Certificate Store for the validation during S3. I don't see how its a revocation list problem as the successful connection's start "Verifying certificate" > end "Certificate for matches" statements are immediate as they should be. Something with the store verification of the certs seems to be going weird and slowing down but then immediate at other times.
I could be a bit off, as using GitHub IDE is not the greatest, but it looks like WinSCP is using Windows Certificate Store for the validation during S3. I don't see how its a revocation list problem as the successful connection's start "Verifying certificate" > end "Certificate for matches" statements are immediate as they should be. Something with the store verification of the certs seems to be going weird and slowing down but then immediate at other times.
- mkfmnn
Very slow certificate verification on network-isolated EC2 instance – certificate revocation check?
I am setting up an environment where users use Windows EC2 instances that are configured without open-ended internet access, as described here:
https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints
I want to use WinSCP on those instances to enable users to easily transfer files to and from S3 (via VPC endpoint) through a graphical interface, using the instance profile temporary credentials; without internet access there's no AWS Console. I have not used WinSCP before.
When attempting to use WinSCP, connection and other operations can take a very long time, 30 seconds or more. I also frequently get this error dialog when attempting to connect:
Upon retry, it sometimes succeeds.
When I look at the debug log, I see the pause consistently happens during certificate validation, sometimes taking so long that the server closes the connection:
(See attachment for more, including an eventually successful connection)
I suspect that it has something to do with certificate revocation list checking attempting to happen and timing out, but don't know that for certain.
I have searched the internet and these forums for more information, including any instructions on how to disable those checks, fruitlessly. This thread is the closest but the
I have also tried disabling it at the Windows level, under Control Panel --> Internet Options --> Advanced, as described in this post.
Is there any way that I can avoid these delays?
Version: WinSCP-6.5.6
OS: Windows Server 2022
GUI: Explorer interface
https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints
I want to use WinSCP on those instances to enable users to easily transfer files to and from S3 (via VPC endpoint) through a graphical interface, using the instance profile temporary credentials; without internet access there's no AWS Console. I have not used WinSCP before.
When attempting to use WinSCP, connection and other operations can take a very long time, 30 seconds or more. I also frequently get this error dialog when attempting to connect:
Could not read status line: Connection was closed by server
Connection failed
Upon retry, it sometimes succeeds.
When I look at the debug log, I see the pause consistently happens during certificate validation, sometimes taking so long that the server closes the connection:
. 2026-05-29 03:16:16.780 Verifying certificate for "s3.amazonaws.com" with fingerprint 7e:bf:42:63:5d:c3:2b:cb:97:f6:0e:38:3e:e1:f8:63:39:aa:ce:a2:39:e1:56:b9:8d:74:1c:79:12:67:14:36 and 08 failures
. 2026-05-29 03:17:01.824 Certificate for "s3.amazonaws.com" matches cached fingerprint and failures
(See attachment for more, including an eventually successful connection)
I suspect that it has something to do with certificate revocation list checking attempting to happen and timing out, but don't know that for certain.
I have searched the internet and these forums for more information, including any instructions on how to disable those checks, fruitlessly. This thread is the closest but the
-certificate option is not applicable to S3.
I have also tried disabling it at the Windows level, under Control Panel --> Internet Options --> Advanced, as described in this post.
Is there any way that I can avoid these delays?
Version: WinSCP-6.5.6
OS: Windows Server 2022
GUI: Explorer interface