search cancel

Symantec Encryption Management Server may encrypt messages to revoked S/MIME certificates if the CRL or OCSP is unavailable

book

Article ID: 163194

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server Gateway Email Encryption

Issue/Introduction

S/MIME certificates include a reference to a CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) distribution point.

The CRL distribution point is defined in the CRL Distribution Points field within the certificate and lists a URL accessible over HTTP, LDAP or both.  

The OCSP distribution point is defined in the Authority Information Access field and lists a URL accessible over HTTP.

If neither the CRL or OCSP distribution points for a certificate can be accessed by Symantec Encryption Management Server, messages can still be encrypted using the revoked certificate. This is the case if, for example, Symantec Encryption Management Server is blocked by a firewall from connecting to remote hosts over HTTP and/or LDAP.

 

The Mail log will contain the following records when the CRL and OCSP distribution points are unavailable:

2016/04/26 17:35:49 +01:00  INFO   pgp/messaging[2017]:       SMTP-00001: Unable to find valid OCSP server

2016/04/26 17:35:49 +01:00  WARN   pgp/messaging[2017]:       SMTP-00001: Could not retrieve URL http://server.name:80/crlfile.crl: couldn't connect to server/ 

where server.name is the DNS name of the server containing the CRL and crlfile.crl is the name of the CRL file.

Resolution

Symantec Encryption Management Server needs to be able to access URLs using HTTP or LDAP in order to be able to determine whether an S/MIME certificate is revoked. Please ensure that outbound HTTP and LDAP are not blocked by a firewall if this functionality is required.

By design, Symantec Encryption Management Server will encrypt using an S/MIME certificate if its revocation status cannot be discovered using CRL or OCSP.

 

Additional Information

235862 - Symantec Encryption Management Server unable to process mail when using OCSP

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

174739 - Encryption Management Server enables the Certificate Revocation Service by default