Remote Support Software

Provide instant remote support to customers and employees:

Click here for a free trial

Difference between CRL check in SSTP VPN and CRL check in OWA and RWA

Hi
I am working with CDP and CRL's and I am wondering about the difference between CRL check in SSTP VPN and CRL check in OWA and RWA.
They all use the same cert but CRL check with SSTP VPN dont pass and same check with OWA and RWA passess. Also when cert is checked using certutil -verify -urlfetch command, cert seems to be able to pass the check. From output file: "Leaf certificate revocation
check passed".
So what exactly does happen in the CRL check with SSTP VPN and what happens in CRL check with OWA or RWA? These processes seems to be different somehow.

Need to support users over the internet? click here try our remote control online beta






June 14th, 2012 11:04pm
The difference is that SSTP strictly checks all CRLs and fails to connect if one of them is not correct (valid). Internet Explorer checks all CRLs too, but passes connection if one of them is invalid.

http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=39My
weblog:
http://en-us.sysadmins.lv

PowerShell PKI Module:
http://pspki.codeplex.com

Windows PKI reference:
on TechNet wiki

Need to support users over the internet? click here try our remote control online beta






June 15th, 2012 12:23am
Hi
Thanks for the link! It's just that the blog post says that
""To address this issue Internet Explorer 7 has introduced a setting that enables strict revocation checking. And if revocation checking fails, web browser displays a warning message.""
and my IE9 dont give any warning about the revocation list check failure when OWA or RWA is accessed. Revocation check is on in my IE9. So it implies that revocation check is done and it passess without errors for OWA and RWA.
Also, like I wrote earlier, certutil -verify -urlfetch command passess with that cert.

Need to support users over the internet? click here try our remote control online beta






June 15th, 2012 2:08am
> and my IE9 dont give any warning about the revocation list check failure
because strict revocation checking is not enabled by default. You must configure the setting as specified in the article.My weblog:
http://en-us.sysadmins.lv

PowerShell PKI Module:
http://pspki.codeplex.com

Windows PKI reference:
on TechNet wiki

There is an amazing pack of free network admin tools. click here to download it






June 15th, 2012 2:42am
There is no such reg key in Win7 + IE9.
Instead in my IE9 there are setting for revocation check at Internet Options -> Advanced tab -> Check for server certification revocation.
This setting seem to be on by default.

There is an amazing pack of free network admin tools. click here to download it






June 15th, 2012 2:49am
You must manually create this registry entry.
> This setting seem to be on by default.
yep. As stated, IE checks SSL certificate for revocation and shows warning message if it is revoked. If revocation information is unavailable or invalid, then the certificate is considered as valid.My weblog:
http://en-us.sysadmins.lv

PowerShell PKI Module:
http://pspki.codeplex.com

Windows PKI reference:
on TechNet wiki

There is an amazing pack of free network admin tools. click here to download it






June 15th, 2012 8:08am
I made the reg key but it did not effect in any way.



TRANSLATIONS:
oletus = default
arvoa ei ole asetettu = value has not been set

There is an amazing pack of free network admin tools. click here to download it






June 18th, 2012 2:40am
did you restarted the computer? Also, you still don't see warning message, then it may indicate that CRL information is available and up-to-date.My weblog:
http://en-us.sysadmins.lv

PowerShell PKI Module:
http://pspki.codeplex.com

Windows PKI reference:
on TechNet wiki

Need to support users over the internet? click here try our remote control online beta






June 18th, 2012 11:16am
Yes, I did restart and cert CRL Distribution Point list only shows LDAP URL but not HTTP URL.
What I have understood is that HTTP URL is needed for revocation list check.
Maybe strict revocation list check is not included anymore in IE9?

Need to support users over the internet? click here try our remote control online beta






June 19th, 2012 12:16am
> What I have understood is that HTTP URL is needed for revocation list check.
If LDAP is accessible for clients, it is enough to use this protocol for revocation checking.My weblog:
http://en-us.sysadmins.lv

PowerShell PKI Module:
http://pspki.codeplex.com

Windows PKI reference:
on TechNet wiki

There is an amazing pack of free network admin tools. click here to download it






June 20th, 2012 11:20am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics