EldoS | Feel safer!

Software components for data protection, secure storage and transfer

OCSP failed for Thawte cert

Posted: 04/13/2011 08:49:55
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 174


I used SBB to write an SLL server. A client using OpenSSL works fine with this connection and I also wrote a client using SBB which initially worked fine. That client is part of a larger project that isn't yet released to customers.

Today, I had report of a problem with the server. The issue had nothing to do with SBB but during the investigation, I noticed that custom client was failing to establish the connection.

I investigated and found that the problem occured during the certificate validation phase. Specifically, the ValidateForSSL methode of TElX509CertificateValidator was returning cvInvalid and the Reason set was (vrOCSPNotVerified).

I disabled CRL and OCSP checking and it then worked. I then re-enabled the checked and it worked again.

I've talked with the thawte people and they insist there was no outage on their side. Since the issue doesn't happen any more, it's hard to diagnose exactly the cause of the problem now.

However, I was a bit taken aback by the fact that I had no information about WHY the check failed. Did the connection to the server fail ? Was the certificate actually reported as revoked ? Was it part of the server answer that didn't pass muster ?

I didn't have enough time to dig deeper into the issue before it went away but I'd like to be prepared next time: is there some sample code that could show me how to get the exact reason why an OCSP check failed in a ValidateForSSL call ?

Thank you,
Posted: 04/13/2011 09:23:10
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

The reason of ValidateForSSL failure might be a temporary problem with Internet connection on client side.

You can handle ElX509CertificateValidator.OnBeforeOCSPClientUse event where you should assign custom handler for TElHTTPOCSPClient(OCSPClient).HTTPClient.OnError event. Then you can get more information about the reason of [vrOCSPNotVerified] in this handler.
Posted: 04/13/2011 09:51:42
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 174

Ok, thank you. I will implement that and see where this leads.

Oh, and I did verify that I had connectivity to http://ocsp.thawte.com/




Topic viewed 1322 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!