Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: HTTPRio ssl failure: Revocation Server unavailable


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 0
Dan Barclay

Posts: 889
Registered: 11/9/03
HTTPRio ssl failure: Revocation Server unavailable  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 6, 2015 2:42 PM
We access web services via ssl and, using THTTPRIO, users must open their firewalls to allow access to certificate servers in order to check revocation lists. Since we have no control over the server we don't know when (or which) revocation server will be accessed and so can't warn users.

We would like to use the same protocol as Internet Explorer, which looks for a revocation list and if it can't get to it just continues with the operation.

However, I haven't been able to determine how to emulate that. I tried
   rio.HTTPWebNode.InvokeOptions:=[soIgnoreInvalidCerts, soAutoCheckAccessPointViaUDDI];


but the soIgnoreInvalidCerts is being ignored. If it is time to check the revocation list, and the list is not accessible, the call fails.

Class: ESOAPHTTP  Exception  It was not possible to connect to the revocation server or a definitive response could not be obtained. - URL:xxxxxxxx


This is a problem. Users don't know it's an issue until their apps simply don't work, and that's a BadThing <tm>. I can't even trap the error and present them the option to continue, because I don't know how to continue without opening their firewall.

I have confirmed that the .InvokeOptions is defaulted to the settings I show in code above even before I "reset" the values.

Is there someone who can tell me how to avoid this error, or allow users to continue after I report to them? At the very least I'd like to give their system administrators control over this.

Here is what Internet Explorer does if you check "Check for server certificate revocation" (which really means "check when you can"

http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

+ However, if a given certificate specifies a CRL or OCSP URL, but the revocation check cannot be completed (say, because the Certificate Authority’s server is not reachable), Internet Explorer will not notify the user. In the original IE7 design, a notification (yellow address bar) was presented instead of the default lock icon. However, this design was reverted after testing when it was determined that connection problems to revocation servers were extremely common and there was no clear guidance the browser could give users about what they should do when a warning was encountered. Presenting unactionable and scary warnings to users in common and low-risk situations doesn’t improve security—it reduces it, by desensitizing users to higher value warnings where the degree of risk is far higher (e.g. SmartScreen malware warnings). +

Help???

FWIW, I've asked this question before and nobody responds. I really need some help with it. Anybody know Bruneau's number???

Dan (XE2)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02