Options of the addon can be accessed through the static SecurityOptions class:

  • UseServerSentIntermediateCertificates: If false, only certificates stored in the trusted intermediates database are used to reconstruct the certificate chain. When set to true (default), it improves compatibility but the addon going to use/accept certificates that not stored in its trusted database.
  • FolderAndFileOptions: Folder, file and extension options.
  • OCSP: OCSP and OCSP cache options.
  • TrustedRootsOptions: Database options of the Trusted CAs database.
  • TrustedIntermediatesOptions: Database options of the Trusted Intermediate Certifications database
  • Database options of the Client Credentials database: Database options of the Client Credentials database

OCSP Options

  • ShortLifeSpanThreshold: The addon not going to check revocation status for short lifespan certificates.
  • EnableOCSPQueries: Enable or disable sending out OCSP requests for revocation checking.
  • FailHard: Treat unknown revocation statuses (unknown OCSP status or unreachable servers) as revoked and abort the TLS negotiation.
  • FailOnMissingCertStatusWhenMustStaplePresent: Treat the TLS connection failed if the leaf certificate has the must-staple flag, but the server doesn’t send certificate status.
  • OCSPCache: OCSP Cache Options as detailed below

OCSP Cache Options

OCSP request caching related options.

  • MaxWaitTime: Maximum wait time to receive an OCSP response. Depending on the OCSP Options’ FailHard value if no response is received in the given time the TLS negotiation might fail.
  • RetryUnknownAfter: Wait time to retry to get a new OCSP response when the previous response’s status is unknown.
  • FolderName: OCSP cache’s folder name.
  • DatabaseOptions: Options for the OCSP cache database.
  • HTTPRequestOptions: Customization options for the OCSP requests.

OCSP Cache’s HTTPRequest Options

OCSP requests are plain old HTTPRequests and every BestHTTP/2 global settings affecting them, but through this options OCSP requests can be further customized.

  • DataLengthThreshold: A threshold in bytes to switch to a POST request instead of GET. Setting it to 0 all requests are sent as POST.
  • UseKeepAlive: Whether to try to keep the connection alive to the OCSP server.
  • UseCache: Whether to cache responses if possible.
  • ConnectTimeout: Time limit to establish a connection to the server.
  • Timeout: Time limit to send and receive an OCSP response from the server.

Database Options

  • Name: Name of the database. This name is used to create the database files.
  • UseHashFile Whether to calculate a hash from the database and write it to a file. It has a useage only if the file is created ‘offline’ and bundled with the application.
  • DiskManager: Options for the database’s DiskManager instance.

DiskManager Options

  • MaxCacheSizeInBytes: This limits the maximum database rows kept in memory.
  • HashDigest: Hash digest algorithm name to generate the database’s hash.


using BestHTTP.Addons.TLSSecurity;

// To disable the OCSP cache's memory cache:
SecurityOptions.OCSP.OCSPCache.DatabaseOptions.DiskManager.MaxCacheSizeInBytes = 0;