EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How can I troubleshoot error vrCRLNotVerified = 128

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#30599
Posted: 09/04/2014 09:26:35
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3

Hello,

I am trying to connect to an external FTPS site but am having trouble connecting because I am receiving a "vrCRLNotVerified = 128 - Certificate Revocation List for this certificate could not be retrieved and/or validated." error. Here is the code block that is throwing the error.

Code
Private Sub client_OnCertificateValidate(Sender As Object, Certificate As SBX509.TElX509Certificate, ByRef Validate As Boolean) Handles client.OnCertificateValidate
        Dim Validity As SBX509.TSBCertificateValidity
        Dim Reason As Integer
        Dim CertificateValidator = New SBCertValidator.TElX509CertificateValidator

        If (Certificate.Chain Is Nothing Or Certificate.Chain.Certificates(0) Is Certificate) Then
            CertificateValidator.ValidateForSSL(Certificate, client.RemoteHost, client.RemoteIP, TSBHostRole.hrServer, Nothing, False, False, DateTime.Now, Validity, Reason)
            Validate = (Validity = SBX509.TSBCertificateValidity.cvOk) Or (Validity = SBX509.TSBCertificateValidity.cvSelfSigned)
        Else
            Validate = True
        End If

    End Sub


So Validity is coming back as 2 Certificate is invalid, and the Reason code is 128.

So I read this article https://www.eldos.com/security/articles/7639.php and it recommends tuning the check for CRL/OCSP. The only changes I can make to get the validation to work are setting MandatoryCRLCheck and MandatoryOCSPCheck to false.

Code
    CertificateValidator.MandatoryCRLCheck = False
            CertificateValidator.MandatoryOCSPCheck = False


With that the Reason value I get is

Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured, or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged.

I'm not getting much help from the provider I'm trying to connect to. What can I do to help them figure out the problem?
#30600
Posted: 09/04/2014 09:29:33
by Eugene Mayevski (EldoS Corp.)

The server seems to be using an invalid certificate, i.e. the certificate that was not issued for the given server. You have two options, really, -- either ignore the error (and your security will be void) or cancel connection.

Please note that we don't provide support for issues related to validation of particular certificates and certificate chains.


Sincerely yours
Eugene Mayevski
#30672
Posted: 09/10/2014 16:47:18
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3

Hi Eugene,

Thank you for the quick reply. I know you don't provide support for validation of particular certs but I wanted to bring something to your attention. I was able to get in contact with the FTPS provider and they pointed me to https://www.digicert.com/help/ to validate the SSL as a third party. Putting in their URL returns a valid certificate. In fact it states that the "SSL Certificate has not been revoked" which is what we thought was the case in my original post.

My issue is digicert is validating the certificate but SecureBlackBox isn't. Is there something I'm doing wrong in my code?
#30678
Posted: 09/11/2014 02:09:38
by Vsevolod Ievgiienko (EldoS Corp.)

Your code is correct. As Eugene wrote above vrIdentityMismatch is returned when validated certificate is not issuer for the server being connected to. Its possible that Digicert doesn't check this case and check certificate only for revocation.
#30742
Posted: 09/16/2014 11:39:34
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3

Vsevolod,

Thank you for your reply. Another question I have. Does Secureblackbox care about wildcard certificates? I'll explain.

The site I am connecting to is site.ftpsite.com (generic name). But the certificate refers to *.ftpsite.com like below

Common Name = *.ftpsite.com
Subject Alternative Names = *.ftpsite.com, ftpsite.com

Should this certificate still validate?
#30743
Posted: 09/16/2014 11:44:38
by Eugene Mayevski (EldoS Corp.)

Wildcard certificates are handled according to the corresponding RFCs, so they should not make a problem during validation.


Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 932 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!