3 Replies Latest reply on Oct 27, 2011 1:47 AM by jghaanstra

    CRL control through proxy with authentification

    SDommanget

      Hi,

       

      When I open a signed PDF with Adobe Reader (I tried with v9.2 and v 9.4) the CLR control happens which is normal.

      Adobe uses my windows network conf and makes an http call through our enterprise proxy (for instance http://crl.swisssign.net).

       

      The problem is that an authentification is required through this proxy but adobe does not use my windows credentials. We can make it work by permitting non authentificated calls to this URL in our proxy but the problem will occur with each new certificate authority (each new CRL URL).

       

      Is there a problem with my Reader settings ?

      If I try an update, reader can access Internet so it uses my credentials in the proxy in this case.

       

      Thanks !

       

      SD.

        • 1. Re: CRL control through proxy with authentification
          jghaanstra

          Sorry to revive an old thread but we seem to be running into the exact same issue. We have a signed PDF which validates on machines with a direct connection to the internet. However at our company this same PDF does not validate using Adobe Acrobat reader version 9.x. The retrieval of the Adobe Approved Trust List (AATL) words fine as it uses the Windows proxy settings as configured in Internet Explorer.

           

          However, it seems that the http request for checking the Certificate Revocation List (DRL) when validating the signatures from the PDF is not using these proxy settings. This results in the fact that Adobe Acrobat Reader can not check if the certificates from the PDF are revoked and Adobe Acrobat Reader can not validate the PDF.

           

          The CRL check works fine in Adobe Acrobat Reader version 10 (X), But we plan to use certified PDF's as a public service so we need broad support for this feature, also for use within other companies that have Adobe Acrobat Reader version 9.

           

          Could this bug be verified by Adobe and tell me if there is a fix for it.

           

          Regards,

           

          JH

          • 2. Re: CRL control through proxy with authentification
            SDommanget Level 1

            For information : we had to open non-authentificadted access to the CRL Url in our firewalls. No response from Adobe...

            • 3. Re: CRL control through proxy with authentification
              jghaanstra Level 1

              For reference: Adobe has acknowledged that  Adobe version 9 does not use the OS proxy settings. Below a formal reaction from Adobe. We have decided to set Adobe Reader X as requirement for our users and not walk the path of submitting a support ticket.

               

              Acrobat has different methods implemented to access resources on the Web, some use the OS native Internet sockets (thus leveraging the OS ability to manage authenticated navigation through proxies), some are directly managed by the Acrobat code, like in case of revocation information checking.

               

              The last patch to Acrobat/Reader X (10.1.1) which has been released a few weeks ago has added full support to this, so as the user has noticed this now works in X. I don’t think this has been ported back in version 9.x patches as well, and I don’t know how much the effort would be to port it if required by customers.

               

              I don’t know if the case is business critical, but if so then opening a CCR would be the right path to have the fix regressed to version 9 as well.