Discuss this help topic in SecureBlackbox Forum

Ignore CRL and OCSP retrieval errors during certificate validation

Sometimes certificate validation fails because it is impossible to obtain a particular CRL or OCSP response from a remote source (due to misconfigured network, periodic system maintenance, or badly organised PKI infrastructure). In some cases it might be reasonable to temporarily tolerate such kind of failure and proceed with the validation anyway.

There are two ways to avoid revocation checks in TElX509CertificateValidator.

You can switch off CRL and/or OCSP validation entirely by setting CheckOCSP and/or CheckCRL to false. Alternatively, leave the above properties set to true, but set MandatoryCRLCheck, MandatoryOCSPCheck and/or MandatoryRevocationCheck to false. The latter configuration is the most secure and flexible choice, because revocation details are checked wherever possible, but the validator is tolerant to checkup failures.

Second method is based on modifying failed validation results if they are caused by impossibility to validate the revocation element. This is done inside the OnAfterCertificateValidation event handler. First, check the Validity and Reason parameters. If Validity is set to cvInvalid and Reason consists of one or both of vrCRLNotVerified and vrOCSPNotVerified flags (any other flags are absent!), alter their values to cvValid and 0, respectively. This will make the validator go on with the validation.

How To articles about TElX509CertificateValidator

Discuss this help topic in SecureBlackbox Forum