EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Silverlight CRL retrieval

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 10/28/2014 15:51:02
by Matthew Memmesheimer (Basic support level)
Joined: 10/28/2014
Posts: 4

I am having trouble with certificate validation in Silverlight. I am using build 12.0.262 of SecureBlackbox .NET edition.

When I try to validate my certificate, it fails with a reason of 128, which indicates CRL validation failure. The OnCRLError event is triggered twice, once with error code 1003 and once with 1004. CRL error code 1003 indicates that there was an error while retrieving the CRL.

I have ensure that I include the following lines

The certificate of my server is valid when connecting in all major browsers. I am running a TCP policy server as well for the client access policy needed by Silverlight. I can find the CRL distribution point URL in the certificate and manually download the CRL in a web browser over HTTP without issue.

Also, the certificate validates just fine with the .NET sample applications, including when I have "strict certificate validation" enabled. Is there something about Silverlight that prevents the CRL from being retrieved?

Do I have to manually retrieve the CRL and provide it to the Secure Blackbox library? If so, how do I do this?
Posted: 10/29/2014 00:53:54
by Eugene Mayevski (Team)

To narrow down the problem please try to use TElHTTPSClient in your Silverlight application to download the CRL. If this works, we can look deeper at the validator, and if this doesn't work, then you have a connectivity problem (maybe due to network restrictions of Silverlight) to solve.

You can feed the validator with known CRLs using validator's AddKnownCRLs(). method.

Sincerely yours
Eugene Mayevski
Posted: 10/29/2014 09:20:31
by Matthew Memmesheimer (Basic support level)
Joined: 10/28/2014
Posts: 4

Are you saying to download http://crl3.digicert.com/ssca-sha2-g2.crl directly with the TElHTTPSClient? And then attempt to connect to my server and provide the previously downloaded CRL to the validator?

Or to just attempt to connect to my server using TElHTTPSClient?

One thing that might be worth mentioning: I downloaded the CRL form the URL above using a web browser. I then imported the CRL into my Silverlight application as a resource. When I load the contents of the CRL into a TElMemoryCRLStorage object and then add this object to the validator using the AddKnownCRLs() method, the validation still fails. However, if I check for the presence of the certificate in the CRL manually using the IsPresent() method of the TElMemoryCRLStorage object, I find that the certificate is indeed unrevoked (i.e. not present in the CRL).
Posted: 10/29/2014 09:39:52
by Vsevolod Ievgiienko (Team)

Are you saying to download http://crl3.digicert.com/ssca-sha2-g2.crl directly with the TElHTTPSClient?

Yes. This is needed to check if connection can be established.



Topic viewed 499 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!