EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Possible to ignore the Hostname In ValidateForSSL?

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35268
Posted: 12/21/2015 19:22:36
by Ken Ivanov (EldoS Corp.)

Hi Jesse,

Switching CheckCRL off is not recommended because it may cause problems with establishing certificate validity for a wide percentage of endpoints. A better option would be to set CheckCRL back to true and tune-up the validator with the following options instead:

- MandatoryCRLCheck = false,
- MandatoryOCSPCheck = false,
- MandatoryRevocationCheck = true.

While the above settings will allow validator ignore badly kept CRL endpoints, it will still be able to check certificate revocation via other means.

If you can't validate the certificate even after the above tune-up, some further settings might need to be tuned. There can be several reasons for the validator to not be able to validate a CRL properly, and we need to establish the exact reason that is taking place in your case.

I suggest that you create a detailed validation log and post it either here or to a Helpdesk ticket (if you prefer not to make it public). You can retrieve the log after validating the certificate via TElX509CertificateValidator.InternalLogger.Log.Text property.

Ken
#35269
Posted: 12/21/2015 19:51:22
by Eugene Mayevski (EldoS Corp.)

Let me note, however, that assistance with validating of individual certificates is available when you have Premium support level.

If you are evaluating SecureBlackbox, you can purchase Premium support for some time on https://www.eldos.com/support/calc.php .

Also we have several articles, related to validation of certificates and to diagnostics of possible problems. The articles are:
1) "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ),
2) "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ),
3) "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )

You can use these articles for self-help.


Sincerely yours
Eugene Mayevski
#35286
Posted: 12/22/2015 18:14:54
by Jesse Parisian (Basic support level)
Joined: 05/07/2015
Posts: 7

Great, thank you very much for all your help guys!

Jesse

Reply

Statistics

Topic viewed 3528 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!