Hello, I am using the Security component and when I validate a certificate I want to skip the CRL/OCSP check

Question

More specifically,
Calling certificate.Validate(ValidationOptions.SkipRevocationCheck)
or certificate.Validate(ValidationOptions.UseCacheOnly)
or certificate.Validate(ValidationOptions.None)
I see on fiddler a request to the CRL url.

The validation result is valid in all cases.(that's irrelevant)

To my understanding, I expect not to hit the urls for revocation checks having the options UseCacheOnly or SkipRevocationCheck.

Any ideas please?
Thanks, Michalis

Answer 1

I would also expect that URLs not to hit with those options. However, on most platforms, Certificate's Validate method uses .NET's System.Security.Cryptography.X509Certificates.X509Chain class internally now, so it would be useful to check whether that actually behaves the same.

Do you see a request to CRL URL with this code?

X509ChainPolicy policy = new X509ChainPolicy();
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.NoCheck;
X509Chain chain = new X509Chain(false);
bool valid = chain.Build(certificate);

Comments

Thanks for the answer, I see also the request using the above code.
So, now my question is, since .Net does not take account it's own flags, is there any variable in my machine that forces .net classes to discard the chain flags?
Unless this functionality does not work anywhere.

And another question, can I set in Rebex API the chain.ChainPolicy.UrlRetrievalTimeout?

---

We are actually unable to reproduce this issue ourselves - if you know a reliable (or at least semi-reliable) way to trigger it (such as using a specific certificate or CRL expiration time), please let us know. We would like to look into this as well.
What do you mean by "discarding the chain flags"?

It's not currently possible to set ChainPolicy.UrlRetrievalTimeout, although we do plan some enhancements in this area.

---

I suppose there is an issue with my proxy.
Thanks for the help