search cancel

Symantec Encryption Management Server unable to process mail when using OCSP

book

Article ID: 235862

calendar_today

Updated On:

Products

Gateway Email Encryption Encryption Management Server

Issue/Introduction

Symantec Encryption Management Server (SEMS/PGP Server) has the ability to encrypt/decrypt emails using the SMIME standard.

When an SMIME certificate is being used, the PGP server has the ability to do Certificate Revocation List (CRL) lookup for the user certs to ensure it trusted by a valid Certificate Authorities (CAs), such as Digicert. 

One method the PGP server uses to validate whether a certificate is still valid is using an Certificate Revocation List, which will essentially tell the PGP server if the CA used to sign the user's cert is still valid or not.

Tip: Valid means the user's cert is signed by a Trusted Certificate Authority, is not expired, and matches the email address associated to the SMIME certificate.  It also checks that the signing CA is not expired.

These CRLs are queried and downloaded to then be able to check on the validity of the certificate and status of the cert. Encryption Management Server releases prior to 10.5.1 have a 1 MB limitation on these Certificate Revocation Lists that are downloaded; if the CRL is larger than 1MB, then it is not used and the following errors may be displayed in the Mail log:

Could not retrieve URL http://crl.globalsign.com:80/gsgccr3personalsign2ca2020.crl: Maximum file size exceeded/
http://crl.swisssign.net:80/F0C7A33291B5EBCAB5587715A74EBE1A5D614325: Maximum file size exceeded/
http://crl.quovadisglobal.com:80/quovadisswissadvancedcag4.crl: Maximum file size exceeded/


There may also be some errors in the mail logs on the PGP server similar to the following:

reply: read error from 192.168.1.104

Connection refused by 192.168.1.104

 

Environment

Symantec Encryption Management Server release 10.5 and above.

Resolution

Upgrade to release 10.5.1 or above.

Starting with release 10.5.1, the default download limit for the CRL file is 5 MB. This can be raised to 20 MB if necessary. This should prevent the Maximum file size exceeded error.

There are various modes the PGP server uses to perform these lookups in addition to the typical "http://crl" method, which is OCSP or "Online Certificate Status Protocol".  OCSP can handle these lookups more quickly, but sometimes there are issues connecting using this protocol and some CAs may not have OCSP enabled.  When this happens, the "CRL" method is then used.

The PGP server can be configured for CRL-Only lookups, OCSP-Only lookups, or both.  There have been some issues observed with "ocsponly" or "ocsp", or "crl" methods.  As a workaround, "crlonly" can be used to avoid some of these issues.

For assistance with configuring these parameters, please contact Symantec Encryption Support.

 

 

Additional Information

EPG-22601

 

163194 - Symantec Encryption Management Server may encrypt messages to revoked S/MIME certificates if the CRL or OCSP is unavailable

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

174739 - Encryption Management Server enables the Certificate Revocation Service by default