SecureBlackbox 16: Additional tune-up of retrievers in TElX509CertificateValidator
TElX509CertificateValidator uses so-called CRL and OCSP retriever classes to download revocation information for X.509 certificates that have been validated. SecureBlackbox includes the following retrievers:
- TElHTTPCRLRetriever - downloads certificate revocation lists (CRLs) via the HTTP(s) protocol.
- TElLDAPCRLRetriever - downloads CRLs via the LDAP protocol.
- TElHTTPOCSPClient - performs OCSP requests via the HTTP(S) protocol. In fact, the class is not a retriever. However, it may need some additional configuration before use in validation scenarios.
Additionally, SecureBlackbox includes TElHTTPCertificateRetriever - this class downloads any missing CA certificates needed for the validation of a particular certificate via the HTTP(S) protocol. The location of a missing CA certificate is taken from the certificate extension of the certificate being validated.
The SecureBlackbox documentation describes how to enable retrievers before validation.
Usually, retriever classes work as expected out of the box. However, they may need additional configuration in cases when revocation information is downloaded via HTTPS or when the connection should be established via the proxy server.
As retriever classes are used internally by TElX509CertificateValidator, this class includes the following events in which you can perform additional configuration:
- OnBeforeCRLRetriverUse is fired before a CRL retriever is used. You can check the instance type of the retriever by checking its Retriever parameter. The parameter may contain an instance of the TElHTTPCRLRetriever or TElLDAPCRLRetriever classes.
- OnBeforeOCSPClientUse is fired before an OCSL client is used. An internal TElHTTPOCSPClient instance is passed to the event handler via its OCSPClient parameter.
- OnBeforeCertificateRetrieverUse is fired before the certificate retriever is used. The retriever instance is passed to the event handler via the Retriever parameter. This instance may be of the TElHTTPCertificateRetriever type.
When you get an instance of the retriever class inside the above-mentioned event handlers, you can configure it in the following way:
- For HTTP(S) based retrievers you can get an instance of the underlying TElHTTPSClient object using the retriever's HTTPClient property. Then you can use its WebTunnel* or HTTPProxy* properties to configure a proxy.
- For LDAP-based retrievers you can access an underlying instance of TElLDAPSClient using the LDAPSClient property and use its WebTunnel* or HTTPProxy* properties to configure a proxy.
- TElLDAPCRLRetriever includes a ServerList property that you can use to set a list of additional LDAP servers that are used to download CRLs that are referenced via absolute URLs in certificate extensions.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.