EldoS | Feel safer!

Software components for data protection, secure storage and transfer

OCSP failed for Thawte cert

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#16206
Posted: 04/13/2011 08:49:55
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I used SBB to write an SLL server. A client using OpenSSL works fine with this connection and I also wrote a client using SBB which initially worked fine. That client is part of a larger project that isn't yet released to customers.

Today, I had report of a problem with the server. The issue had nothing to do with SBB but during the investigation, I noticed that custom client was failing to establish the connection.

I investigated and found that the problem occured during the certificate validation phase. Specifically, the ValidateForSSL methode of TElX509CertificateValidator was returning cvInvalid and the Reason set was (vrOCSPNotVerified).

I disabled CRL and OCSP checking and it then worked. I then re-enabled the checked and it worked again.

I've talked with the thawte people and they insist there was no outage on their side. Since the issue doesn't happen any more, it's hard to diagnose exactly the cause of the problem now.

However, I was a bit taken aback by the fact that I had no information about WHY the check failed. Did the connection to the server fail ? Was the certificate actually reported as revoked ? Was it part of the server answer that didn't pass muster ?

I didn't have enough time to dig deeper into the issue before it went away but I'd like to be prepared next time: is there some sample code that could show me how to get the exact reason why an OCSP check failed in a ValidateForSSL call ?

Thank you,
Stephane
#16207
Posted: 04/13/2011 09:23:10
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

The reason of ValidateForSSL failure might be a temporary problem with Internet connection on client side.

You can handle ElX509CertificateValidator.OnBeforeOCSPClientUse event where you should assign custom handler for TElHTTPOCSPClient(OCSPClient).HTTPClient.OnError event. Then you can get more information about the reason of [vrOCSPNotVerified] in this handler.
#16208
Posted: 04/13/2011 09:51:42
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Ok, thank you. I will implement that and see where this leads.

Oh, and I did verify that I had connectivity to http://ocsp.thawte.com/

Regards,
Stephane

Reply

Statistics

Topic viewed 1202 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!