Home Bug Reports

IceSSL: does CRL handling in .Net work correctly?

lukeluke Member Lukasz CzekierdaOrganization: AGH-University of Science and TechnologyProject: teleconsultations
Hello everybody,

I have a problem with IceSSL: after enabling IceSSL.CheckCRL feature (IceSSL.CheckCRL=1 in config.server file) the communication fails, I get:
[ 12/30/2007 23:27:02 server.exe: Security: SSL certificate validation failed ] when the client tries to connect to the server. I'am running a very simple (hello) application using your certificates from ice\hello sample. It seems as zeroc certificate were on CRL (sounds impossible, but I checked with MMC), I am doing something wrong or it is a bug... I've repeated the experiment with other set of certificates (issued by my own CA) - the same. With this line disabled everything is OK.

I use Ice.Plugin.IceSSL=icesslcs, Version=3.2.1.0.

With best regards,
Lukasz

Comments

  • mesmes CaliforniaAdministrators, ZeroC Staff Mark SpruiellOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff
    Hi,

    When you enable IceSSL.CheckCRL with the sample certificates, .NET reports the certificate validation status RevocationStatusUnkown. Here is the description of this status from MSDN:

    Specifies that it is not possible to determine whether the certificate has been revoked. This can be due to the certificate revocation list (CRL) being offline or unavailable.

    This may or may not be considered a bug, depending on your perspective. For example, if you define IceSSL.CheckCRL=1, you may want a connection attempt to fail if its revocation status is unknown, in which case the current behavior is desirable. On the other hand, you might prefer to be more lenient in this situation and allow the connection to proceed.

    We may enhance IceSSL's certificate validation logic in the next release.

    Take care,
    - Mark
  • lukeluke Member Lukasz CzekierdaOrganization: AGH-University of Science and TechnologyProject: teleconsultations
    IceSSL: does CRL handling in .Net work correctly?

    Mark,
    Many thanks for the fast answer.
    mes wrote: »
    We may enhance IceSSL's certificate validation logic in the next release.

    It is definitely a good idea.

    To solve my problem I have added a CRL distribution point extension to the certificates and have invested in a small CA which publishes CRL file. Everything works OK.

    With best regards,
    Lukasz
Sign In or Register to comment.