1006479 - StartCom: OCSP responder often returns "unknown" for recently-issued certificates

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Martin von Wittich]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36

Steps to reproduce:

The StartSSL CA provides free certificates that are valid for one year[1]. Unfortunately, when one replaces such a certificate that is about to expire, it can take several hours (possibly up to a day) before the StartSSL OCSP server is updated with the new certificate and it will therefore reply with "unknown". In the meantime, all users trying to access the site receive the following error:

An error occurred during a connection to example.com.
The OCSP server has no status for the certificate.
(Error code: sec_error_ocsp_unknown_cert)

At least Chrome and IE seem to ignore the "unknown" reply and will display the site fine, while Opera also seems to block the request.

Should this check in Firefox be relaxed so that only sites with a "revoked" OCSP reply get blocked? I don't know if this would introduce a security vulnerability; if so, then please ignore this request.

[1] http://www.startssl.com/?app=1

Comment 1

[YF (Yang)]

Maybe to bug 849722.

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

(In reply to Martin von Wittich from comment #0)
> The StartSSL CA provides free certificates that are valid for one year[1].
> Unfortunately, when one replaces such a certificate that is about to expire,
> it can take several hours (possibly up to a day) before the StartSSL OCSP
> server is updated with the new certificate and it will therefore reply with
> "unknown". In the meantime, all users trying to access the site receive the
> following error:
> 
> An error occurred during a connection to example.com.
> The OCSP server has no status for the certificate.
> (Error code: sec_error_ocsp_unknown_cert)

The requirements for certificates issued by CAs in Mozilla's program were changed to require CAs to respond with "unknown" for certificates they don't know about yet; previously, many (most? all?) CAs were returning "yes, this is a good certificate; carry on". The requirements were changed so that CAs would have better defense against mis-issuance via this OCSP mechanism, based on real-life CA compromises (especially Diginotar). Any relaxation of the Firefox behavior would diminish Firefox's ability to protect users against mis-issuance.

Firefox should stop making the OCSP requests, which would avoid this most of the time. That is what Google Chrome does. But, ultimately, StartCom needs to fix its OCSP responder so that it doesn't take a day or hours or even more than a few minutes for the OCSP responder to learn that a certificate has been issued. Otherwise, OCSP must-staple won't work correctly for StartCom-issued certificates.

So, I'm moving this be moved over to the "mozilla.org :: CA Certificates" component so that Kathleen (and/or others) can work with StartCom on the matter. I also CC'd the representative from StartCom on this bug.

Comment 3

[Kathleen Wilson]

Assigning to Eddy, since this is a StartCom issue.

Comment 4

[lussnig]

This is also today the case.
Firefox (nightly) blocks the request:

An error occurred during a connection to suche.org. 
The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)

Comment 5

[Eddy Nigg (StartCom)]

There is already bug 1151270

Comment 6

[Peter Gervai]

Just a few sidenotes:

1) The issue is recurring. Or should I say it's ongoing.

2) openssl ocsp check doesn't quite like startcom (at least those which miss the --header option), but gnutls seems to work just fine:
$ ocsptool --ask --load-issuer=sub.class1.server.ca.pem --load-signer=sub.class1.server.ca.pem --load-cert=mydomain.crt

...
                Certificate Status: unknown
...

3) This issue is still "UNCONFIRMED" contrary to the quite well commented and observed events. it's a startom ocsp server issue but since Mozilla rejects unknowns rather harsh (it's absolutely impossible to go on) it has a good place here.

Comment 7

[Tadej Janež]

I've just been bitten by this today.

As Peter Gervai noted in comment #6, Smartcom's OCSP server responds with "Certificate Status: unknown" for a recently issued certificate and Firefox rejects them rather harshly.

Eddy Nigg, can you provide some more information on how long does Smartcom's OCSP server take to update with newly issued certificates?

Thanks!

Comment 8

[peter gervai]

I thought I have found a way to trick startssl ocsp server: try to retrieve your cert after a few minutes. Sometimes works, but sometimes not (yesterday I had to wait a few _hours_ for the cert to appear in working order, no matter what magic I have tried to cast).

Comment 9

[Peter Gervai]

(By no means this sidenote means firefox shouldn't change outright rejection, or that Eddie shouldn't worry about fixing this, just an advice for those bitten by that:

When you create a new cert on StartSSL don't install it for 10 minutes, or more generally: do not initiate OCSP check on the cert for at least 10 minutes. If you do and the cert isn't yet in the OCSP database it gets negative cached for 6 hours. The "10 minute" value is a guesstimate.)

Comment 10

[Peter Gervai]

By the way it happens pretty often that even for older domains OCSP is either unavailable to the reply isn't tasty enough for FF, which results a **completely unusable** website, no possible override, no nothing. Dead. For 10-60 minutes, recently.
I would very much appreciate some possibility to override (eg. ignore OCSP errors).

Comment 11

[Gervase Markham [:gerv]]

Resolving; if StartCom becomes trusted again, they are unlikely to have the same issues.

Gerv