Certificate Revocation Status Checking | SSLMODE | CLIv2 - Certificate Revocation Status Checking

Certificate Revocation Status Checking | SSLMODE | CLIv2 - Certificate Revocation Status Checking - Call-Level Interface Version 2

Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems - 17.20

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

Lake

VMware

Product

Call-Level Interface Version 2

Release Number

17.20

Published

June 2022

Language

English (United States)

Last Update

2023-06-12

dita:mapPath

zws1641280432166.ditamap

dita:ditavalPath

obe1474387269547.ditaval

dita:id

B035-2418

Product Category

Teradata Tools and Utilities

When sslmode=verify-full, CLI will attempt to verify the revocation status of the certificate chain using the following methods:

Online certificate status protocol (OCSP) stapling
Contacting the certificate's OCSP responder URI, if the certificate contains the appropriate extension
Contacting the certificate's certificate revocation list (CRL) distribution point URI, if the certificate contains the appropriate extension

OCSP Support

CLI provides support for the Online Certificate Status Protocol (OCSP) to determine the revocation status of an X509 certificate. When sslmode=verify-full, CLI requests that Gateway provide an OCSP stapled response during the TLS handshake. If OCSP stapling is supported by gateway, a stapled response may be returned. CLI will then check the status in the stapled response, and for any certificates not included in the stapled response, will contact the OCSP responder URI if the certificate contains one. The status of certificates from the OCSP responders is combined with the stapled status from Gateway to determine the overall status of the certificate chain. The possible status values are:

GOOD - all certificates in the chain are valid

REVOKED - one or more of the certificates in the chain has been revoked

UNKNOWN - unable to determine status for one or more certificates in the chain

To control how long CLI will wait for an OCSP responder to reply, set the following environment variable:

CLI_OCSP_TIMEOUT

This environment variable controls how long CLI will wait for an OCSP responder to reply to an OCSP status request. Units are in seconds. The default value is 10 seconds.

CRL Support

If CLI is unable to determine the certificate status using OCSP (i.e. the OCSP certificate status is UNKNOWN), CLI will fall back to checking for a certificate revocation list (CRL) URI in the certificate. If one is found, CLI will attempt to download the CRL and determine if the certificate in question is in the CRL. Each certificate in the chain, excluding the root CA certificate, will be checked to determine the overall CRL status of the certificate chain. The possible status values are:

GOOD - none of the certificates were found in a CRL

REVOKED - one or more of the certificates was found in a CRL

UNKNOWN - unable to download certificate's CRL, or an error occurred checking the CRL

To control how long CLI will wait for a CRL to be downloaded from a CRL distribution point, set the following environment variable:

CLI_CRL_TIMEOUT

This environment variable controls how long CLI will wait for a response from the HTTP server identified in the CRL distribution point extension. Units are in seconds. The default value is 10 seconds.

CLI_OCSP_TIMEOUT and CLI_CRL_TIMEOUT environment variables can be specified in the ‘clispb.dat’ as well.