Closed
Bug 1011764
Opened 10 years ago
Closed 9 years ago
New sec_error_ocsp_invalid_signing_cert error on Fetlife
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: subcommandante, Unassigned)
References
Details
Attachments
(1 file)
|
1.20 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140516004003
Steps to reproduce:
* Attempt to watch a video on Fetlife on a Desktop or
* Copy the url of the video and put it into the address bar
Actual results:
If you watch the video as part of the page, the Flash fallback (it always uses Flash fallback on Desktop), you get an error of: "Video not found or access denied: <URL>"
If you copy the video url from the source and put it in the address bar, I get the following error page:
Secure Connection Failed
An error occurred during a connection to videocdn.fetlife.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Expected results:
The video should play.
|
Reporter | |
Comment 1•10 years ago
|
||
Additional information: * I run Firefox Beta on my phone and this error does not occur.
|
|
Reporter | |
Comment 2•10 years ago
|
||
Also I get this error regardless of whether OCSP checking is turned on or off.
|
|
Reporter | |
Updated•10 years ago
|
Component: Untriaged → Security
Product: Firefox → Core
|
|
Reporter | |
Comment 3•10 years ago
|
||
Continues to fail after creating and using a new profile
|
|
Reporter | |
Comment 4•10 years ago
|
||
Works in 30b1 not in 31a
|
|
Reporter | |
Comment 5•10 years ago
|
||
Result of MozRegression: Last good revision: 382f676d0ed9 (2014-03-31) First bad revision: 1417d180a1d8 (2014-04-01) Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=382f676d0ed9&tochange=1417d180a1d8
|
|
Reporter | |
Comment 6•10 years ago
|
||
mozregression using inbounds: Last good revision: 5475d87513b4 First bad revision: 50ff5b820452 Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5475d87513b4&tochange=50ff5b820452
|
|
Reporter | |
Updated•10 years ago
|
Component: Security → Security: PSM
|
|
Reporter | |
Comment 7•10 years ago
|
||
Works now using 31.0a2 (2014-06-02) Not sure what changed but thanks :)
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 8•10 years ago
|
||
Problem has returned in 31.0a (2014-06-03)
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
||
Comment 9•10 years ago
|
||
David, can you help figure out what's going on here?
Flags: needinfo?(dkeeler)
|
|
||
Comment 10•10 years ago
|
||
(In reply to subcommandante from comment #6) > mozregression using inbounds: > > Last good revision: 5475d87513b4 > First bad revision: 50ff5b820452 > Pushlog: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=5475d87513b4&tochange=50ff5b820452 This points to mozilla::pkix enabling...
subcommandante, do you have a specific url I can use to reproduce the problem? Thanks.
Flags: needinfo?(dkeeler) → needinfo?(subcommandante)
|
|
Reporter | |
Comment 12•10 years ago
|
||
An example url is https://videocdn.fetlife.com/videos/3496bfdc-ec67-496a-9c90-584fc3b9abf6/encoded.mp4 (completely and utterly not safe for work). If you'd like to avoid the video (which I would understand), I'm happy to perform the diagnosis with help. I've noticed that, as of late, the first time it loads, it will fail with sec_error_ocsp_invalid_signing_cert. If you reload though after a few seconds, it will load fine. Not sure what might be causing this.
|
|
||
Comment 13•10 years ago
|
||
I can reproduce on Windows with the testcase that's been provided, but not on OS X, where it asks me to activate quicktime (which presumably means that the connection succeeded just fine).
Flags: needinfo?(subcommandante) → needinfo?(dkeeler)
Thanks for the url, subcommandante - that definitely helped make this easier to figure out. As far as I can tell, the CDN is intermittently stapling an OCSP response signed by an expired delegated OCSP responder (attached) (either that or there's two different CDNs in use, one of which works and one of which doesn't). We may be able to work around this, but the best solution would be to contact the CDN and get them to fix their implementation.
Flags: needinfo?(dkeeler)
(FWIW, one IP serving the expired responder cert is 108.168.149.194)
|
||
Comment 16•10 years ago
|
||
I'm moving this to Tech Evangelism based on comment 14.
Assignee: nobody → english-us
Component: Security: PSM → English US
Product: Core → Tech Evangelism
Version: 31 Branch → unspecified
|
||
Updated•10 years ago
|
|
||
Comment 17•10 years ago
|
||
Is it still an issue? The video seems to be downloaded fine.
Assignee: english-us → nobody
Component: English US → Desktop
|
|
||
Comment 18•10 years ago
|
||
Rob, please see comment 4. Note that the linked-to video is NSFW. This issue is one I explained on the CABForum mailing list here: https://cabforum.org/pipermail/public/2014-July/003690.html I recommend following the advice I offered in that email: Make sure OCSP responses expire before the OCSP signer cert expires, so that web servers that ignore the OCSP response signing cert's expiration time will not run into this issue.
|
|
||
Comment 19•9 years ago
|
||
This seems to be working for me. Reopen if I closed too fast
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago → 9 years ago
Resolution: --- → WORKSFORME
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•