Unable to perform revocation check of the server certificate

Question

Hi there,

One of my customers is receiving this error message from REBEX which is embedded in a DLL. Here is what we are trying to do:

FTP with Implicit SSL on port 990. FTP site is bairddocs.sharefileftp.com

No other customer has this problem. I am trying to figure out why this error has been thrown: Could it be the customer's firewall? Could it be an OS issue ( I am trying to figure out if they are on XP, Vista or Windows 7).

I am trying to work with the customer's Help Desk to make certain that their corporate firewall is not blocking requests or ports, etc. We have had this issue with some customers.

Answer 1

Hi,

although there are several possible reasons for this error, one notable occurance was on Windows XP and Windows Server 2003 systems with older version of Rebex components - we added a workaround for it in 2012 R2. Which version of Rebex FTP/SSL do you currently use?

Comments

The customer is using Windows 7 and we are using 2012 R3.

Answer 2

Lukas or others?

See my comment above........ The customer is using Windows 7 and we are using 2012 R3.

So, other thoughts? Could it be the firewall? The exception appears to be thrown on the connect.

Answer 3

Hello,

the "Unable to perform revocation check of the server certificate" error is thrown in case where it is not possible to check whether the certificate is revoked or not. Such a check includes connecting to the CRL server, downloading the revocation list and checking that certificate is not revoked.

Would it be possible to try running the following code from a simple console application to determine whether this is an issue in Rebex code or whether the same result can be reproduced using .NET objects only?

using System;
using Rebex.Net;
using Rebex.Security.Certificates
using System.Security.Cryptography.X509Certificates;

// 1. Use Rebex FTP to download the server certificate chain into a series of files
var client = new Ftp();
client.Settings.SslAcceptAllCertificates = true;
client.Connect("test.rebex.net", SslMode.Implicit);
for (int n = 0; n < client.TlsSocket.ServerCertificate.Count; n++)
{
    client.TlsSocket.ServerCertificate[n].Save("cert" + n + ".der", CertificateFormat.Base64Der);
}


// 2. Validate the certificate chain (from the saved files) without using any Rebex code

X509Certificate2 cert = new X509Certificate2("cert0.der");

X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.Online;
for (int n = 0; File.Exists("cert" + n + ".der"); n++)
{
    X509Certificate2 cert2 = new X509Certificate2("cert" + n + ".der");
    policy.ExtraStore.Add(cert2);
}
Console.WriteLine("Loaded chain with {0} certificates.", policy.ExtraStore.Count + 1);

X509Chain chain = new X509Chain(false);
try
{
    chain.ChainPolicy = policy;

    bool valid = chain.Build(cert);
    Console.WriteLine("Is valid: {0}", valid);
    foreach (X509ChainStatus s in chain.ChainStatus)
    {
        X509ChainStatusFlags flags = s.Status;

        Console.WriteLine("Status: {0}", flags);
    }
}
finally
{
    chain.Reset();
}

What results does it show?