Hello, I am using the Security component and when I validate a certificate I want to skip the CRL/OCSP check

0 votes
asked Oct 10 by michalis.viglakis (180 points)

More specifically,
Calling certificate.Validate(ValidationOptions.SkipRevocationCheck)
or certificate.Validate(ValidationOptions.UseCacheOnly)
or certificate.Validate(ValidationOptions.None)
I see on fiddler a request to the CRL url.

The validation result is valid in all cases.(that's irrelevant)

To my understanding, I expect not to hit the urls for revocation checks having the options UseCacheOnly or SkipRevocationCheck.

Any ideas please?
Thanks, Michalis

1 Answer

0 votes
answered Oct 10 by Lukas Pokorny (94,670 points)

I would also expect that URLs not to hit with those options. However, on most platforms, Certificate's Validate method uses .NET's System.Security.Cryptography.X509Certificates.X509Chain class internally now, so it would be useful to check whether that actually behaves the same.

Do you see a request to CRL URL with this code?

X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.NoCheck;
X509Chain chain = new X509Chain(false);
bool valid = chain.Build(certificate);
commented Oct 11 by michalis.viglakis (180 points)
edited Oct 11 by michalis.viglakis
Thanks for the answer, I see also the request using the above code.
So, now my question is, since .Net does not take account it's own flags, is there any variable in my machine that forces .net classes to discard the chain flags?
Unless this functionality does not work anywhere.

And another question, can I set in Rebex API the chain.ChainPolicy.UrlRetrievalTimeout?
commented Oct 11 by Lukas Pokorny (94,670 points)
We are actually unable to reproduce this issue ourselves - if you know a reliable (or at least semi-reliable) way to trigger it (such as using a specific certificate or CRL expiration time), please let us know. We would like to look into this as well.
What do you mean by "discarding the chain flags"?

It's not currently possible to set ChainPolicy.UrlRetrievalTimeout, although we do plan some enhancements in this area.
commented Oct 11 by michalis.viglakis (180 points)
I suppose there is an issue with my proxy.
Thanks for the help