When sslmode=verify-full, CLI will attempt to verify the revocation status of the certificate chain using the following methods:
- Online certificate status protocol (OCSP) stapling
- Contacting the certificate's OCSP responder URI, if the certificate contains the appropriate extension
- Contacting the certificate's certificate revocation list (CRL) distribution point URI, if the certificate contains the appropriate extension
OCSP Support
CLI provides support for the Online Certificate Status Protocol (OCSP) to determine the revocation status of an X509 certificate. When sslmode=verify-full, CLI requests that Gateway provide an OCSP stapled response during the TLS handshake. If OCSP stapling is supported by gateway, a stapled response may be returned. CLI will then check the status in the stapled response, and for any certificates not included in the stapled response, will contact the OCSP responder URI if the certificate contains one. The status of certificates from the OCSP responders is combined with the stapled status from Gateway to determine the overall status of the certificate chain. The possible status values are:
GOOD - all certificates in the chain are valid
REVOKED - one or more of the certificates in the chain has been revoked
UNKNOWN - unable to determine status for one or more certificates in the chain
To control how long CLI will wait for an OCSP responder to reply, set the following environment variable:
CLI_OCSP_TIMEOUT
This environment variable controls how long CLI will wait for an OCSP responder to reply to an OCSP status request. Units are in seconds. The default value is 10 seconds.
CRL Support
If CLI is unable to determine the certificate status using OCSP (i.e. the OCSP certificate status is UNKNOWN), CLI will fall back to checking for a certificate revocation list (CRL) URI in the certificate. If one is found, CLI will attempt to download the CRL and determine if the certificate in question is in the CRL. Each certificate in the chain, excluding the root CA certificate, will be checked to determine the overall CRL status of the certificate chain. The possible status values are:
GOOD - none of the certificates were found in a CRL
REVOKED - one or more of the certificates was found in a CRL
UNKNOWN - unable to download certificate's CRL, or an error occurred checking the CRL
To control how long CLI will wait for a CRL to be downloaded from a CRL distribution point, set the following environment variable:
CLI_CRL_TIMEOUT
This environment variable controls how long CLI will wait for a response from the HTTP server identified in the CRL distribution point extension. Units are in seconds. The default value is 10 seconds.