Closed Bug 1005718 Opened 7 years ago Closed 5 years ago

(mozilla::pkix) Some websites fail with sec_error_ocsp_old_response when security.OCSP.require=true due to old OCSP responses for the end-entity certificate

Categories

(Core :: Security: PSM, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: mcepl, Unassigned)

References

()

Details

When connecting to my bank https://www.erasvet.cz/ (or its business-oriented cousin https://ib24.csob.cz/ ; it is the largest Czech bank) I get this error:

    An error occurred during a connection to www.erasvet.cz.
    The OCSP response contains out-of-date information.
    (Error code: sec_error_ocsp_old_response)

Could somebody tell me whether it is a problem in their certificate or something in Firefox/Nightly? (and sorry, if this in the end turns out to be a support issue)
And yes switching security.use_mozillapkix_verification to false (default seems to be true in Nightly) makes my bank work. And https://www.grc.com/x/news.exe?cmd=article&group=grc.securitynow&item=26247&utag= and https://www.grc.com/x/news.exe?cmd=article&group=grc.securitynow&item=26246&utag= give a bit of analysis to the issue.
Based on information in those links, this looks like the same as bug 991815.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 991815
(In reply to David Keeler (:keeler) from comment #2)
> Based on information in those links, this looks like the same as bug 991815.

Bug 991815 is about whether the EV indicator is displayed or not, not about whether the site works. Even if we don't fix bug 991815, we'd expect sites to still work because we soft-fail on expired responses in the normal configuration. Based on the discussion in bug 991815 about this bug, it seems the problem is our stricter validity period checks in combination with security.OCSP.require=true.

I am reopening this to restart the discussion about it but my view is that we don't need to spend much time trying to support the non-default security.OCSP.require=true configuration, which we already know to be problematic for several reasons besides this issue.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: (mozilla::pkix) Is erasvet.cz failinig to connect problem with this library? → (mozilla::pkix) Some websites fail with sec_error_ocsp_old_response when security.OCSP.require=true due to old OCSP responses for the end-entity certificate
I got bit by this today, and it turned out I had security.OCSP.require=true (userset) in about:config.

We might want to put something more actionable in the error message for users who hit this if we detect security.OCSP.require=true...
(In reply to  Mike Conley (:mconley)  from comment #4)
> I got bit by this today, and it turned out I had security.OCSP.require=true
> (userset) in about:config.
> 
> We might want to put something more actionable in the error message for
> users who hit this if we detect security.OCSP.require=true...

I agree.

Yesterday, on 2014-05-21, I could not access my web e-mail
at https://secure.runbox.com

>  An error occurred during a connection to secure.runbox.com.
>  The OCSP response contains out-of-date information.
>  (Error code: sec_error_ocsp_old_response)

I have an Aurora profile (31.0a2) that I ONLY use for e-mail.

Some 'non-default' prefs include:

user_pref("browser.cache.disk.enable", false);

user_pref("security.OCSP.require", true);
user_pref("security.ssl.require_safe_negotiation", true);
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

I was able to use another Profile (with Fx 29.0.1) to access my web e-mail.

I did find the wiki helpful.
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing

Runbox do use an Extended Validation Certificate.
https://www.ssllabs.com/ssltest/analyze.html?d=secure.runbox.com&hideResults=on

Today, after a bit of research in bugzilla, I was able to access my e-mail
after I had set "security.use_mozillapkix_verification" to false.

user_pref("security.use_mozillapkix_verification", false); 

I would like to keep using
user_pref("security.OCSP.require", true);

DJ-Leith
I frequently run into this on wordpress sites (e.g., https://p6weekly.wordpress.com/), I leave firefox open for long periods. I can fix it by unchecking and then immediately re-checking "Query OCSP responder servers to confirm the current validity of certificates" in about:preferences#advanced -> Certificates, then clicking "Try Again" on the error page. (Firefox 41.0)
Dean, what is the value of "security.OCSP.require" in about:config for you?
Flags: needinfo?(dean.prog)
Sorry, right should have included that I also have security.OCSP.require=true.
Flags: needinfo?(dean.prog)
Thanks for confirming that. Unfortunately, if you've set security.OCSP.require to true, this is more or less expected behavior. What I think is going on is Firefox receives a good response and caches it. Some time later (when verifying a certificate that response corresponds to), that cached response has expired, so Firefox attempts to fetch an updated response. If that fails, Firefox falls back to the cached (expired) response and returns sec_error_ocsp_old_response. To prevent this behavior, set security.OCSP.require to false (which is the default).
Status: REOPENED → RESOLVED
Closed: 7 years ago5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.