Results 1 to 3 of 3

Thread: IceSSL: does CRL handling in .Net work correctly?

  1. #1
    luke is offline Registered User
    Name: Lukasz Czekierda
    Organization: AGH-University of Science and Technology
    Project: teleconsultations
    Join Date
    Mar 2007
    Posts
    11

    IceSSL: does CRL handling in .Net work correctly?

    Hello everybody,

    I have a problem with IceSSL: after enabling IceSSL.CheckCRL feature (IceSSL.CheckCRL=1 in config.server file) the communication fails, I get:
    [ 12/30/2007 23:27:02 server.exe: Security: SSL certificate validation failed ] when the client tries to connect to the server. I'am running a very simple (hello) application using your certificates from ice\hello sample. It seems as zeroc certificate were on CRL (sounds impossible, but I checked with MMC), I am doing something wrong or it is a bug... I've repeated the experiment with other set of certificates (issued by my own CA) - the same. With this line disabled everything is OK.

    I use Ice.Plugin.IceSSL=icesslcs, Version=3.2.1.0.

    With best regards,
    Lukasz

  2. #2
    mes's Avatar
    mes
    mes is offline ZeroC Staff
    Name: Mark Spruiell
    Organization: ZeroC, Inc.
    Project: Ice Developer
    Join Date
    Feb 2003
    Location
    California
    Posts
    1,441
    Hi,

    When you enable IceSSL.CheckCRL with the sample certificates, .NET reports the certificate validation status RevocationStatusUnkown. Here is the description of this status from MSDN:

    Specifies that it is not possible to determine whether the certificate has been revoked. This can be due to the certificate revocation list (CRL) being offline or unavailable.

    This may or may not be considered a bug, depending on your perspective. For example, if you define IceSSL.CheckCRL=1, you may want a connection attempt to fail if its revocation status is unknown, in which case the current behavior is desirable. On the other hand, you might prefer to be more lenient in this situation and allow the connection to proceed.

    We may enhance IceSSL's certificate validation logic in the next release.

    Take care,
    - Mark

  3. #3
    luke is offline Registered User
    Name: Lukasz Czekierda
    Organization: AGH-University of Science and Technology
    Project: teleconsultations
    Join Date
    Mar 2007
    Posts
    11

    IceSSL: does CRL handling in .Net work correctly?

    Mark,
    Many thanks for the fast answer.

    Quote Originally Posted by mes View Post
    We may enhance IceSSL's certificate validation logic in the next release.
    It is definitely a good idea.

    To solve my problem I have added a CRL distribution point extension to the certificates and have invested in a small CA which publishes CRL file. Everything works OK.

    With best regards,
    Lukasz

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. VS Addin doesnt handle filters correctly
    By rpeters in forum Bug Reports
    Replies: 0
    Last Post: 06-25-2010, 02:03 PM
  2. IceSSL and revocation list (CRL)
    By grembo in forum Help Center
    Replies: 9
    Last Post: 03-23-2010, 12:26 PM
  3. Replies: 4
    Last Post: 08-30-2007, 06:10 PM
  4. IceSSL for C#/.NET
    By kwaclaw in forum Comments
    Replies: 2
    Last Post: 09-27-2005, 10:49 AM
  5. Replies: 3
    Last Post: 02-09-2004, 09:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •