CertificateException : Server certificate was rejected by the verifier because of other problem.

0 votes
asked May 23 by dsouzac (290 points)

We are using IMAP as an inbound protocol for outlook.office365.com on 993 port.

We are facing issue in ValidateCertificate()

public virtual void ValidateCertificate(object sender, SslCertificateValidationEventArgs e)
        {
            ValidationResult result;

            if (IgnoreCRLCheck)
                result = e.Certificate.Validate(e.ServerName, ValidationOptions.SkipRevocationCheck, CertificateChainEngine.LocalMachine);
            else
                result = e.Certificate.Validate(e.ServerName, ValidationOptions.None, CertificateChainEngine.LocalMachine);

            LogMessage.LogInfoProgress("ValidatingCertificate()", "result.Valid:" + result.Valid.ToString() + " Status:" + result.Status.ToString(), EmailQueue);

            if (result.Valid)
            {
                CertificateStatus = true;
                e.Accept();
            }
            else
            {
                CertificateError = result.Status.ToString();
                CertificateStatus = false;
                e.Reject();
            }
        }

CertificateException : Server certificate was rejected by the verifier because of other problem.

Any pointers on this.

Imap Rebex version: 2.0.6026.0

Applies to: Rebex Secure Mail

1 Answer

0 votes
answered May 23 by Lukas Pokorny (82,430 points)
selected Jun 8 by dsouzac
 
Best answer

This exception only indicates that your custom certificate validator called e.Reject(). To be able to tell more, we would need to see result.Status. Please note that calling e.Reject(result.Status) instead of just e.Reject() would produce a more meaningful exception message.

commented May 24 by dsouzac (290 points)
We have logged the value of result.Status and that is "IncompleteChain", Exception message is,

"CertificateException : Server certificate was rejected by the verifier because of other problem."

We are wondering what reason could cause this?

Same build with same configuration is working in other lab environment.
commented May 24 by Lukas Pokorny (82,430 points)
Incomplete chain error indicates that the certificate engine was unable to construct the whole chain of certificates from the supplied certificate. A certificate chain includes the server certificate, any intermediate CA certificates and the root CA certificates. Calling "e.CertificateChain.Validate(...)" instead of "e.Certificate.Validate(...)" should solve the issue.

The original variant would still work if the intermediate CA certificates were available in the local machine's intermediate CA store. This is probably the case in the other lab environment. However, their presence is not guaranteed. Calling CertificateChain.Validate(...) ensures that intermediate CA certificates provided by the server are taken into account as well.
commented May 24 by dsouzac (290 points)
Thanks for your quick reply.

We are not calling "e.CertificateChain.Validate(...)" instead we are calling "e.Certificate.Validate(...)", which you are suggesting. You can verify in shared source at first question.

In "e.Certificate.Validate(...)" last parameter we have provided as,
CertificateChainEngine.LocalMachine

There we have only two options LocalMachine and CurrentUser. I don't believe that will matter. what is your view?
commented May 24 by Lukas Pokorny (82,430 points)
I was suggesting you call "e.CertificateChain.Validate(...)". Calling "e.Certificate.Validate(...)" is incorrect in most scenarios and it's causing the exception. Sorry for the confusion. CertificateChainEngine does not matter in this case.
commented May 24 by dsouzac (290 points)
Oh sorry I misunderstood it.

"CertificateChainEngine does not matter in this case.",
So do you have any pointer or solution to this case?
commented May 24 by Lukas Pokorny (82,430 points)
Well, what happens if you use "e.CertificateChain.Validate(...)"? Is there still an exception? If there is, what's the value of result.Status?
commented May 29 by dsouzac (290 points)
Well CertificateChain.Validate() solved this exception. Thank you Lukas.
...