mozilla::pkix does not show message when connecting to a site whose SSL cert is revoked

RESOLVED DUPLICATE of bug 997509

Status

()

defect
RESOLVED DUPLICATE of bug 997509
5 years ago
5 years ago

People

(Reporter: veeresh_badigar, Unassigned)

Tracking

unspecified
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(firefox33 affected)

Details

Reporter

Description

5 years ago
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; chromeframe/32.0.1700.107; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E)

Steps to reproduce:

Visit to a site whose SSL certificate is revoked


Actual results:

Shows below message, is which is not correct 

"Not Found
The Requested URL/was not found on this server" 


Expected results:

Should show 'Peer's Certificate has been revoked'
Hi there, do you have an example site/URL to demonstrate with?

If not, I'll go and find a site whose cert has been revoked to confirm, but it would be faster if you were able to provide us with one.

Thank you.
Flags: needinfo?(veeresh_badigar)
Reporter

Comment 2

5 years ago
Could you please see if you can find a site with revoked cert?.
Flags: needinfo?(veeresh_badigar)
https://test-sspev.verisign.com:2443/test-SSPEV-revoked-verisign.html

I can confirm that we are not getting the error with Fx32, pkix enabled.

If I disable pkix, the error is displayed as expected.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Looks like verisign is serving up responses from > 10 days ago, so we consider them expired and discard them. Bug 997509 will change this so we make use of this information instead.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 997509
Group: core-security
Kathleen, I think this expired/long-lived OCSP response issue should be added to https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix or to the "Problematic Practices" document, since I think we've seen multiple CAs have this issue. I'm not sure which you prefer (if not both), so I'll leave it to you to decide where to put it, if anywhere.
Flags: needinfo?(kwilson)

Comment 6

5 years ago
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #5)
> Kathleen, I think this expired/long-lived OCSP response issue should be
> added to
> https://wiki.mozilla.org/SecurityEngineering/mozpkix-
> testing#Things_for_CAs_to_Fix or to the "Problematic Practices" document,
> since I think we've seen multiple CAs have this issue. I'm not sure which
> you prefer (if not both), so I'll leave it to you to decide where to put it,
> if anywhere.


Is this the same issue as bullet #1 in https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Future_Considerations ?
Flags: needinfo?(kwilson)

Updated

5 years ago
Flags: needinfo?(brian)
(In reply to Kathleen Wilson from comment #6)
> (In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response)
> from comment #5)
> > Kathleen, I think this expired/long-lived OCSP response issue should be
> > added to
> > https://wiki.mozilla.org/SecurityEngineering/mozpkix-
> > testing#Things_for_CAs_to_Fix or to the "Problematic Practices" document,
> > since I think we've seen multiple CAs have this issue. I'm not sure which
> > you prefer (if not both), so I'll leave it to you to decide where to put it,
> > if anywhere.
> 
> Is this the same issue as bullet #1 in
> https://wiki.mozilla.org/SecurityEngineering/mozpkix-
> testing#Future_Considerations ?

No. The item you linked to is about proposed future changes to the baseline requirements. The issue here is failure to adhere, or misunderstanding (on our part or the CAs' part) of, the existing requirement that end-entity OCSP responses being less than 10 days old.
Flags: needinfo?(brian)

Comment 8

5 years ago
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #7)
> 
> No. The item you linked to is about proposed future changes to the baseline
> requirements. The issue here is failure to adhere, or misunderstanding (on
> our part or the CAs' part) of, the existing requirement that end-entity OCSP
> responses being less than 10 days old.

I see. 

BR #13.2.2: "For the status of Subscriber Certificates: ... The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days."

That seems straight forward to me, so I guess the problem is that some CAs are still not compliant with this BR.

So, I added it as item #6 to the wiki page: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
It's too late in regards to the recent CA Communication, but I added it to the wiki page so we'll remember to add it to our testing/metrics and take appropriate action later.
You need to log in before you can comment on or make changes to this bug.