EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How can I troubleshoot error vrCRLNotVerified = 128

Posted: 09/04/2014 09:26:35
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3


I am trying to connect to an external FTPS site but am having trouble connecting because I am receiving a "vrCRLNotVerified = 128 - Certificate Revocation List for this certificate could not be retrieved and/or validated." error. Here is the code block that is throwing the error.

Private Sub client_OnCertificateValidate(Sender As Object, Certificate As SBX509.TElX509Certificate, ByRef Validate As Boolean) Handles client.OnCertificateValidate
        Dim Validity As SBX509.TSBCertificateValidity
        Dim Reason As Integer
        Dim CertificateValidator = New SBCertValidator.TElX509CertificateValidator

        If (Certificate.Chain Is Nothing Or Certificate.Chain.Certificates(0) Is Certificate) Then
            CertificateValidator.ValidateForSSL(Certificate, client.RemoteHost, client.RemoteIP, TSBHostRole.hrServer, Nothing, False, False, DateTime.Now, Validity, Reason)
            Validate = (Validity = SBX509.TSBCertificateValidity.cvOk) Or (Validity = SBX509.TSBCertificateValidity.cvSelfSigned)
            Validate = True
        End If

    End Sub

So Validity is coming back as 2 Certificate is invalid, and the Reason code is 128.

So I read this article https://www.eldos.com/security/articles/7639.php and it recommends tuning the check for CRL/OCSP. The only changes I can make to get the validation to work are setting MandatoryCRLCheck and MandatoryOCSPCheck to false.

    CertificateValidator.MandatoryCRLCheck = False
            CertificateValidator.MandatoryOCSPCheck = False

With that the Reason value I get is

Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured, or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged.

I'm not getting much help from the provider I'm trying to connect to. What can I do to help them figure out the problem?
Posted: 09/04/2014 09:29:33
by Eugene Mayevski (Team)

The server seems to be using an invalid certificate, i.e. the certificate that was not issued for the given server. You have two options, really, -- either ignore the error (and your security will be void) or cancel connection.

Please note that we don't provide support for issues related to validation of particular certificates and certificate chains.

Sincerely yours
Eugene Mayevski
Posted: 09/10/2014 16:47:18
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3

Hi Eugene,

Thank you for the quick reply. I know you don't provide support for validation of particular certs but I wanted to bring something to your attention. I was able to get in contact with the FTPS provider and they pointed me to https://www.digicert.com/help/ to validate the SSL as a third party. Putting in their URL returns a valid certificate. In fact it states that the "SSL Certificate has not been revoked" which is what we thought was the case in my original post.

My issue is digicert is validating the certificate but SecureBlackBox isn't. Is there something I'm doing wrong in my code?
Posted: 09/11/2014 02:09:38
by Vsevolod Ievgiienko (Team)

Your code is correct. As Eugene wrote above vrIdentityMismatch is returned when validated certificate is not issuer for the server being connected to. Its possible that Digicert doesn't check this case and check certificate only for revocation.
Posted: 09/16/2014 11:39:34
by Thanh Khong (Basic support level)
Joined: 09/04/2014
Posts: 3


Thank you for your reply. Another question I have. Does Secureblackbox care about wildcard certificates? I'll explain.

The site I am connecting to is site.ftpsite.com (generic name). But the certificate refers to *.ftpsite.com like below

Common Name = *.ftpsite.com
Subject Alternative Names = *.ftpsite.com, ftpsite.com

Should this certificate still validate?
Posted: 09/16/2014 11:44:38
by Eugene Mayevski (Team)

Wildcard certificates are handled according to the corresponding RFCs, so they should not make a problem during validation.

Sincerely yours
Eugene Mayevski



Topic viewed 1108 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!