Welcome to the SRP Forum! Please refer to the SRP Forum FAQ post if you have any questions regarding how the forum works.


edited April 27 in General
We call an API (over https and using let's encrypt as the root CA ) from OI using Msxml2.XMLHTTP.3.0. Sometimes we get this error message:

While googling this, I came across a blog post written by Don advising to use Msxml2.XMLHTTP.6.0 instead of Msxml2.XMLHTTP.3.0

We will try that and see if it works. But do you know if the 3.0 version supports the OCSP protocol for checking certificate revocation. https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

If it does not, it might explain why we get this error occasionally. But I wonder why the error occurs occasionally -- perhaps because the client only checks the revocation list occasionally?


  • I've not used OCSP so this is a bit outside my experience. But I would like to add a few comments:
    • The article I wrote suggested using Msxml2.ServerXMLHTTP.6.0. This is based on ServerXMLHTTP rather than XMLHTTP. ServerXMLHTTP can resolve issues that XMLHTTP cannot.
    • Still, even if XMLHTTP is the proper protocol, I would still suggest using 6.0 versus 3.0 because you always want to use the latest version unless you have a good reason not to.
    • We have implemented support for client side certificates with our wrapper around XMLHTTP / ServerXMLHTTP. However, this requires the setOption method, which is only supported by ServerXMLHTTP.
    Hope some of this is useful to you.
  • Thanks, I will try Msxml2.ServerXMLHTTP.6.0.

    We are not using a client certificate. All we are trying to do is validate the server's Let's Encrypt issued certificate. The validation is failing with error message "could not get revocation information for the certificate." I believe this is happening (but I haven't' been able to prove it yet) because Msxml2.XMLHTTP.3.0 uses the outdate CRL protocol to check certificate revocation, which Let's Encrypt does not support. If Msxml2.ServerXMLHTTP.6.0. also uses CRL, then it won't work either.
Sign In or Register to comment.