Closed
Bug 1120418
Opened 10 years ago
Closed 10 years ago
sec_error_ocsp_unknown_cert error in Firefox only
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1060112
People
(Reporter: matej.kovacic, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141127110442
Steps to reproduce:
I went to https://vpn.telefoncek.si.
Actual results:
Firefox (v. 34 for Ubuntu and fresh installation of Forefox for Windows version also) says: Secure Connection Failed
An error occurred during a connection to vpn.telefoncek.si. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert).
Expected results:
Website is working with other browsers (Chrome, Safari, Internet Explorer). SSL Labs test says that HTTPS securoty is OK: https://www.ssllabs.com/ssltest/analyze.html?d=vpn.telefoncek.si&latest
Comment 1•10 years ago
|
||
I don't think chrome uses OCSP. See https://scotthelme.co.uk/certificate-revocation-google-chrome/ for example.
Reporter | ||
Comment 2•10 years ago
|
||
OK, but OCSP response from server says certificate is good. You can check this on SSL Test (URL in first post).
Comment 3•10 years ago
|
||
Not sure what's going wrong here. OpenSSL seems happy, as best I can tell, besides: 140735258018656:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate
which I think is my own fault... otherwise:
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58
Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45
Serial Number: 0501FAE6B4CEE8
Request Extensions:
OCSP Nonce:
0410C37C07584AA1732BD0DBFCC9CC84FF91
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
Produced At: Jan 16 18:23:57 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58
Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45
Serial Number: 0501FAE6B4CEE8
Cert Status: good
This Update: Jan 16 18:23:57 2015 GMT
Next Update: Jan 18 18:23:57 2015 GMT
Signature Algorithm: sha1WithRSAEncryption
etc.
Brian, am I missing something obvious?
Component: Untriaged → Security: PSM
Flags: needinfo?(brian)
OS: Linux → All
Product: Firefox → Core
Hardware: x86_64 → All
Updated•10 years ago
|
Flags: needinfo?(brian)
Summary: OCSP problems in Firefox only → sec_error_ocsp_unknown_cert error in Firefox only
Updated•10 years ago
|
Flags: needinfo?(brian)
Comment 4•10 years ago
|
||
From what I can see, that site is stapling a response for a certificate with serial number 0x0DD077. The website is using a certificate with serial number 0x0501FAE6B4CEE8. Since there is a stapled response but Firefox can't get any information about the certificate in question, the connection is terminated.
Comment 5•10 years ago
|
||
Looks like David figured it out before I could look at it. Assuming David's right, then this should be RESOLVED INVALID as the server is misconfigured. Firefox is intentionally more strict than other browsers with respect to bad stapled OCSP responses, in preparation for must-staple, which requires such stricter checks.
Flags: needinfo?(brian)
Comment 6•10 years ago
|
||
One possible improvement here would be to use a different error code for the case where the OCSP response included some CertID, but not the CertID for the cert in question, e.g. ERROR_OCSP_RESPONSE_FOR_WRONG_CERT. Also, it would be better to indicate in the error message presented to the user whether an OCSP-related error is due to a stapled response or a fetched response.
Comment 7•10 years ago
|
||
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #6)
> One possible improvement here would be to use a different error code for the
> case where the OCSP response included some CertID, but not the CertID for
> the cert in question, e.g. ERROR_OCSP_RESPONSE_FOR_WRONG_CERT.
Good call. I think that's basically what we were going to do in bug 1060112.
> Also, it
> would be better to indicate in the error message presented to the user
> whether an OCSP-related error is due to a stapled response or a fetched
> response.
Sounds like a good idea - I filed bug 1122775.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•