We are using SEAS to do CRL checking during C:D session setup. We are having difficulties keeping up with some Certificate Authorities. Here is the process as we understand itâ€¦
1. The URL for CRL checking is pulled out of the certificate.
2. SEAS attempts to connect to that URL.
3. If the connection fails, CRL checking fails and the session fails.
The problem we are having is that several of the CA's have started using global DNS/IP addresses. When you do several lookups of the DNS name you get a set of IP addresses instead of just one. Also, we can get a different set of addresses when doing the lookups from Kansas City than we get from Parkersburg. This ends up being a large list of IP addresses and they are not always the same static set of addresses. The big issue for us is in the way our network security is structured. We have to open firewall rules for each address. We cannot just open outbound port 80 to the world. We do have port 80 outbound to the world but that is only via http proxy devices. If we could get SEAS to be http proxy aware that would greatly simplify things for us.