Closed Bug 1120418 Opened 10 years ago Closed 10 years ago

sec_error_ocsp_unknown_cert error in Firefox only

Categories

(Core :: Security: PSM, defect)

34 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1060112

People

(Reporter: matej.kovacic, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 Build ID: 20141127110442 Steps to reproduce: I went to https://vpn.telefoncek.si. Actual results: Firefox (v. 34 for Ubuntu and fresh installation of Forefox for Windows version also) says: Secure Connection Failed An error occurred during a connection to vpn.telefoncek.si. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert). Expected results: Website is working with other browsers (Chrome, Safari, Internet Explorer). SSL Labs test says that HTTPS securoty is OK: https://www.ssllabs.com/ssltest/analyze.html?d=vpn.telefoncek.si&latest
I don't think chrome uses OCSP. See https://scotthelme.co.uk/certificate-revocation-google-chrome/ for example.
OK, but OCSP response from server says certificate is good. You can check this on SSL Test (URL in first post).
Not sure what's going wrong here. OpenSSL seems happy, as best I can tell, besides: 140735258018656:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate which I think is my own fault... otherwise: OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58 Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45 Serial Number: 0501FAE6B4CEE8 Request Extensions: OCSP Nonce: 0410C37C07584AA1732BD0DBFCC9CC84FF91 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer Produced At: Jan 16 18:23:57 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6568874F40750F016A3475625E1F5C93E5A26D58 Issuer Key Hash: EB4234D098B0AB9FF41B6B08F7CC642EEF0E2C45 Serial Number: 0501FAE6B4CEE8 Cert Status: good This Update: Jan 16 18:23:57 2015 GMT Next Update: Jan 18 18:23:57 2015 GMT Signature Algorithm: sha1WithRSAEncryption etc. Brian, am I missing something obvious?
Component: Untriaged → Security: PSM
Flags: needinfo?(brian)
OS: Linux → All
Product: Firefox → Core
Hardware: x86_64 → All
Flags: needinfo?(brian)
Summary: OCSP problems in Firefox only → sec_error_ocsp_unknown_cert error in Firefox only
Flags: needinfo?(brian)
From what I can see, that site is stapling a response for a certificate with serial number 0x0DD077. The website is using a certificate with serial number 0x0501FAE6B4CEE8. Since there is a stapled response but Firefox can't get any information about the certificate in question, the connection is terminated.
Looks like David figured it out before I could look at it. Assuming David's right, then this should be RESOLVED INVALID as the server is misconfigured. Firefox is intentionally more strict than other browsers with respect to bad stapled OCSP responses, in preparation for must-staple, which requires such stricter checks.
Flags: needinfo?(brian)
One possible improvement here would be to use a different error code for the case where the OCSP response included some CertID, but not the CertID for the cert in question, e.g. ERROR_OCSP_RESPONSE_FOR_WRONG_CERT. Also, it would be better to indicate in the error message presented to the user whether an OCSP-related error is due to a stapled response or a fetched response.
(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #6) > One possible improvement here would be to use a different error code for the > case where the OCSP response included some CertID, but not the CertID for > the cert in question, e.g. ERROR_OCSP_RESPONSE_FOR_WRONG_CERT. Good call. I think that's basically what we were going to do in bug 1060112. > Also, it > would be better to indicate in the error message presented to the user > whether an OCSP-related error is due to a stapled response or a fetched > response. Sounds like a good idea - I filed bug 1122775.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.