Certificate Revocation Status Checking | SSLMODE | CLIv2 - Certificate Revocation Status Checking - Call-Level Interface Version 2

Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems - 20.00

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Call-Level Interface Version 2
Release Number
20.00
Published
January 2024
Language
English (United States)
Last Update
2024-05-14
dita:mapPath
bmn1691484839905.ditamap
dita:ditavalPath
obe1474387269547.ditaval
dita:id
fvz1470444150352
Product Category
Teradata Tools and Utilities

When sslmode=verify-full, CLI will attempt to verify the revocation status of the certificate chain using the following methods:

  • Online certificate status protocol (OCSP) stapling
  • Contacting the certificate's OCSP responder URI, if the certificate contains the appropriate extension
  • Contacting the certificate's certificate revocation list (CRL) distribution point URI, if the certificate contains the appropriate extension

OCSP Support

CLI provides support for the Online Certificate Status Protocol (OCSP) to determine the revocation status of an X509 certificate. When sslmode=verify-full, CLI requests that Gateway provide an OCSP stapled response during the TLS handshake. If OCSP stapling is supported by gateway, a stapled response may be returned. CLI will then check the status in the stapled response, and for any certificates not included in the stapled response, will contact the OCSP responder URI if the certificate contains one. The status of certificates from the OCSP responders is combined with the stapled status from Gateway to determine the overall status of the certificate chain. The possible status values are:

GOOD - all certificates in the chain are valid

REVOKED - one or more of the certificates in the chain has been revoked

UNKNOWN - unable to determine status for one or more certificates in the chain

To control how long CLI will wait for an OCSP responder to reply, set the following environment variable:

CLI_OCSP_TIMEOUT

This environment variable controls how long CLI will wait for an OCSP responder to reply to an OCSP status request. Units are in seconds. The default value is 10 seconds.

CRL Support

If CLI is unable to determine the certificate status using OCSP (i.e. the OCSP certificate status is UNKNOWN), CLI will fall back to checking for a certificate revocation list (CRL) URI in the certificate. If one is found, CLI will attempt to download the CRL and determine if the certificate in question is in the CRL. Each certificate in the chain, excluding the root CA certificate, will be checked to determine the overall CRL status of the certificate chain. The possible status values are:

GOOD - none of the certificates were found in a CRL

REVOKED - one or more of the certificates was found in a CRL

UNKNOWN - unable to download certificate's CRL, or an error occurred checking the CRL

To control how long CLI will wait for a CRL to be downloaded from a CRL distribution point, set the following environment variable:

CLI_CRL_TIMEOUT

This environment variable controls how long CLI will wait for a response from the HTTP server identified in the CRL distribution point extension. Units are in seconds. The default value is 10 seconds.

CLI_OCSP_TIMEOUT and CLI_CRL_TIMEOUT environment variables can be specified in the ‘clispb.dat’ as well.