+1 vote

I am testing Mail.dll to do IMAP with mutual authentication and custom validation of server certificate. It seems to work great.

But there is one feature that I do not understand the operation:
usage of revocation list to validate server certificate.

In SSLConfiguration of an IMAP object, there is a CheckCertificateRevocation property that allow to activate check of server certificate with revocation list.

The property can be set to true, but what happen next?
How does it work?
What revocation list is used?

by (8.8k points)
retagged by

1 Answer

0 votes

CheckCertificateRevocation specifies whether the certificate
revocation list is checked during authentication. Default is false.
This value is passed to SslStream's AuthenticateAsClient method.

If true, the client checks whether the server's certificate has been revoked.
Each issuer publishes a time- and date-stamped certificate revocation
list (CRL). This check can be performed online or by checking against a cached
revocation list.

When the certificate has been revoked; or when the certificate revocation list cannot be found, an exception occurs or ValidateServerCertificate callback is invoked with
sslPolicyErrors parameter having SslPolicyErrors.RemoteCertificateChainErrors flag set.

When this occurs, any chains that descend from the revoked certificate are also invalid, and are not trusted during authentication procedures.

by (298k points)
...