Unable to perform revocation check of the server certificate

0 votes
asked Nov 1, 2013 by dennis (160 points)
edited Nov 5, 2013

Hi there,

One of my customers is receiving this error message from REBEX which is embedded in a DLL. Here is what we are trying to do:

FTP with Implicit SSL on port 990. FTP site is bairddocs.sharefileftp.com

No other customer has this problem. I am trying to figure out why this error has been thrown: Could it be the customer's firewall? Could it be an OS issue ( I am trying to figure out if they are on XP, Vista or Windows 7).

I am trying to work with the customer's Help Desk to make certain that their corporate firewall is not blocking requests or ports, etc. We have had this issue with some customers.

Applies to: Rebex FTP/SSL

3 Answers

0 votes
answered Nov 1, 2013 by Lukas Pokorny (95,290 points)
edited Nov 1, 2013

Hi,

although there are several possible reasons for this error, one notable occurance was on Windows XP and Windows Server 2003 systems with older version of Rebex components - we added a workaround for it in 2012 R2. Which version of Rebex FTP/SSL do you currently use?

commented Nov 1, 2013 by dennis (160 points)
edited Nov 1, 2013

The customer is using Windows 7 and we are using 2012 R3.

0 votes
answered Nov 1, 2013 by dennis (160 points)
edited Nov 1, 2013

Lukas or others?

See my comment above........ The customer is using Windows 7 and we are using 2012 R3.

So, other thoughts? Could it be the firewall? The exception appears to be thrown on the connect.

0 votes
answered Nov 4, 2013 by Tomas Knopp (58,890 points)
edited Nov 4, 2013

Hello,

the error "Unable to perform revocation check of the server certificate."

is thrown in case where it is not possible to check whether the certificate is revoked or not. Such a check includes connecting to the CRL server, downloading the revocation list and checking that certificate is not revoked.

Would it be possible to try running the following code from a simple console application to determine whether this is an issue in Rebex code or whether the same result can be reproduced using .NET objects only?

using System;
using Rebex.Net;
using Rebex.Security.Certificates;
using System.Security.Cryptography.X509Certificates;
...

        // 1. Use Rebex FTP to download the server certificate into a file
        Ftp client = new Ftp();
        client.Settings.SslAcceptAllCertificates = true;
        client.Connect("server", SslMode.Implicit);
        client.TlsSocket.ServerCertificate[0].Save("cert.der", CertificateFormat.Base64Der);

        // 2. Validate the certificate (from the file) without using any Rebex code

        X509Certificate2 cert = new X509Certificate2("cert.der");

        X509ChainPolicy policy = new X509ChainPolicy();
        policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
        policy.RevocationMode = X509RevocationMode.Online;

        X509Chain chain = new X509Chain(false);
        try
        {
            chain.ChainPolicy = policy;

            bool valid = chain.Build(cert);
            Console.WriteLine("Is valid: {0}", valid);
            foreach (X509ChainStatus s in chain.ChainStatus)
            {
                X509ChainStatusFlags flags = s.Status;

                Console.WriteLine("Status: {0}", flags);
            }
        }
        finally
        {
            chain.Reset();
        }

What results does it show?

...