Closed Bug 1006479 Opened 8 years ago Closed 5 years ago

StartCom: OCSP responder often returns "unknown" for recently-issued certificates

Categories

(NSS :: CA Certificate Root Program, task)

x86_64
Linux
task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: martin.von.wittich, Assigned: eddy_nigg, NeedInfo)

References

Details

(Whiteboard: BR Compliance)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36

Steps to reproduce:

The StartSSL CA provides free certificates that are valid for one year[1]. Unfortunately, when one replaces such a certificate that is about to expire, it can take several hours (possibly up to a day) before the StartSSL OCSP server is updated with the new certificate and it will therefore reply with "unknown". In the meantime, all users trying to access the site receive the following error:

An error occurred during a connection to example.com.
The OCSP server has no status for the certificate.
(Error code: sec_error_ocsp_unknown_cert)

At least Chrome and IE seem to ignore the "unknown" reply and will display the site fine, while Opera also seems to block the request.

Should this check in Firefox be relaxed so that only sites with a "revoked" OCSP reply get blocked? I don't know if this would introduce a security vulnerability; if so, then please ignore this request.

[1] http://www.startssl.com/?app=1
Maybe to bug 849722.
Component: Untriaged → Security: PSM
Product: Firefox → Core
(In reply to Martin von Wittich from comment #0)
> The StartSSL CA provides free certificates that are valid for one year[1].
> Unfortunately, when one replaces such a certificate that is about to expire,
> it can take several hours (possibly up to a day) before the StartSSL OCSP
> server is updated with the new certificate and it will therefore reply with
> "unknown". In the meantime, all users trying to access the site receive the
> following error:
> 
> An error occurred during a connection to example.com.
> The OCSP server has no status for the certificate.
> (Error code: sec_error_ocsp_unknown_cert)

The requirements for certificates issued by CAs in Mozilla's program were changed to require CAs to respond with "unknown" for certificates they don't know about yet; previously, many (most? all?) CAs were returning "yes, this is a good certificate; carry on". The requirements were changed so that CAs would have better defense against mis-issuance via this OCSP mechanism, based on real-life CA compromises (especially Diginotar). Any relaxation of the Firefox behavior would diminish Firefox's ability to protect users against mis-issuance.

Firefox should stop making the OCSP requests, which would avoid this most of the time. That is what Google Chrome does. But, ultimately, StartCom needs to fix its OCSP responder so that it doesn't take a day or hours or even more than a few minutes for the OCSP responder to learn that a certificate has been issued. Otherwise, OCSP must-staple won't work correctly for StartCom-issued certificates.

So, I'm moving this be moved over to the "mozilla.org :: CA Certificates" component so that Kathleen (and/or others) can work with StartCom on the matter. I also CC'd the representative from StartCom on this bug.
Assignee: nobody → kwilson
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
Summary: Be more relaxed about sec_error_ocsp_unknown_cert? → StartCom's OCSP responder often returns "unknown" for recently-issued certificates
Version: 29 Branch → other
Assigning to Eddy, since this is a StartCom issue.
Assignee: kwilson → eddy_nigg
This is also today the case.
Firefox (nightly) blocks the request:

An error occurred during a connection to suche.org. 
The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)
There is already bug 1151270
Just a few sidenotes:

1) The issue is recurring. Or should I say it's ongoing.

2) openssl ocsp check doesn't quite like startcom (at least those which miss the --header option), but gnutls seems to work just fine:
$ ocsptool --ask --load-issuer=sub.class1.server.ca.pem --load-signer=sub.class1.server.ca.pem --load-cert=mydomain.crt

...
                Certificate Status: unknown
...

3) This issue is still "UNCONFIRMED" contrary to the quite well commented and observed events. it's a startom ocsp server issue but since Mozilla rejects unknowns rather harsh (it's absolutely impossible to go on) it has a good place here.
I've just been bitten by this today.

As Peter Gervai noted in comment #6, Smartcom's OCSP server responds with "Certificate Status: unknown" for a recently issued certificate and Firefox rejects them rather harshly.

Eddy Nigg, can you provide some more information on how long does Smartcom's OCSP server take to update with newly issued certificates?

Thanks!
Flags: needinfo?(eddy_nigg)
I thought I have found a way to trick startssl ocsp server: try to retrieve your cert after a few minutes. Sometimes works, but sometimes not (yesterday I had to wait a few _hours_ for the cert to appear in working order, no matter what magic I have tried to cast).
(By no means this sidenote means firefox shouldn't change outright rejection, or that Eddie shouldn't worry about fixing this, just an advice for those bitten by that:

When you create a new cert on StartSSL don't install it for 10 minutes, or more generally: do not initiate OCSP check on the cert for at least 10 minutes. If you do and the cert isn't yet in the OCSP database it gets negative cached for 6 hours. The "10 minute" value is a guesstimate.)
Flags: sec-bounty?
Flags: needinfo?
By the way it happens pretty often that even for older domains OCSP is either unavailable to the reply isn't tasty enough for FF, which results a **completely unusable** website, no possible override, no nothing. Dead. For 10-60 minutes, recently.
I would very much appreciate some possibility to override (eg. ignore OCSP errors).
Flags: sec-bounty?
Flags: needinfo?
Whiteboard: BR Compliance
Summary: StartCom's OCSP responder often returns "unknown" for recently-issued certificates → StartCom: OCSP responder often returns "unknown" for recently-issued certificates
Resolving; if StartCom becomes trusted again, they are unlikely to have the same issues.

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.