Learn how to configure the com.glide.communications.httpclient.ocsp_allow_network_error property to prevent bad actors from bypassing Online Certificate Status Protocol (OCSP) checks.

If com.glide.communications.httpclient.ocsp_allow_network_error is not set to the recommended value of false, and the Online Certificate Status Protocol (OCSP) check encounters a network error (for example, a timeout or problem fetching the revocation information), it will bypass the OCSP security check and consider it successful. This could allow an attacker with a revoked certificate to break the Public Key infrastructure (PKI) and digital certificate trust that is foundational to the web. The use of revoked certificates is often an indicator of malicious activity unless the servers are out of sync.

Ensure the property com.glide.communications.httpclient.ocsp_allow_network_error exists and is set to false. If the property does not appear in the sys_properties table, add a new record.

More information

Attribute Description
Configuration name com.glide.communications.httpclient.ocsp_allow_network_error
Configuration type System Properties (/sys_properties_list.do)
Data type boolean
Recommended value false
Default value true
Category Communications
Security risk
  • Severity score: 5.9
  • CVSS score: Medium
  • Security risk details: Not setting this property to false could enable a bad actor to bypass the OCSP security check.
Dependencies and prerequisites None
Functional impact This property determines whether a request against the Authority Information Access (AIA) Online Certificate Status Protocol (OCSP) uri results in a pass or fail outcome in the event of a connection or timeout error. When set to false, the revocation status of the presented server certificate can't be validated and will lead to a communication failure with that endpoint. If a network error occurs when the property is set to its default value of true, the certificate is treated as valid from a revocation standpoint.