Enforce OCSP check on network error
Learn how to configure the com.glide.communications.httpclient.ocsp_allow_network_error property to prevent bad actors from bypassing Online Certificate Status Protocol (OCSP) checks.
If the com.glide.communications.httpclient.ocsp_allow_network_error system property is not explicitly set to the recommended value of false, and the OCSP (Online Certificate Status Protocol) check encounters a network-related issue, such as a timeout or failure to retrieve revocation data, the system will treat the OCSP validation as successful by default.
Ensure the property com.glide.communications.httpclient.ocsp_allow_network_error exists and is set to false. If the property does not appear in the System Properties [sys_properties] table, add a new record.
More information
| Attribute | Description |
|---|---|
| Configuration name | com.glide.communications.httpclient.ocsp_allow_network_error |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | false |
| Default value | <none> |
| Fallback value | true |
| Category | Communications |
| Security risk |
|
| Dependencies and prerequisites | None |
| Functional impact | This property determines whether a request against the Authority Information Access (AIA) Online Certificate Status Protocol (OCSP) uri results in a pass or fail outcome in the event of a connection or timeout error. When set to false, the revocation status of the presented server certificate can't be validated and will lead to a communication failure with that endpoint. If a network error occurs when the property is set to its default value of true, the certificate is treated as valid from a revocation standpoint. |