Closed
Bug 1151308
Opened 9 years ago
Closed 9 years ago
secure connection failed on www.firefox.net.cn due to issues with StartCom OCSP responders
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 1151270
People
(Reporter: c.levin, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Build ID: 20150405004004 Steps to reproduce: trying to visit www.firefox.com.cn , one of the most trusted firefox community in china for 10+ years Actual results: secure connection failed Expected results: page should display
I know Mozilla recently following Google in revoking CNNIC's certificate. I strongly urge mozilla do some real world test to see the fallout of this, and be very careful in doing this. At minimum, there should be a button for "visit anyway" on the error page.
WFM with FF40. Did you test with a clean profile? https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Flags: needinfo?(c.levin)
|
||
Comment 3•9 years ago
|
||
(In reply to cris from comment #1) > I know Mozilla recently following Google in revoking CNNIC's certificate. I > strongly urge mozilla do some real world test to see the fallout of this, > and be very careful in doing this. > > At minimum, there should be a button for "visit anyway" on the error page. FWIW, I don't think that any code changes have actually been made to do this (although I might have just missed it).
|
|
||
Comment 4•9 years ago
|
||
WFM for me as well. Note that the site actually uses StartCom certs: https://www.ssllabs.com/ssltest/analyze.html?d=firefox.net.cn Was the exact error you encountered sec_error_ocsp_unknown_cert? If so, this was an issue with the StartCom OCSP responders that affected several (many?) sites, and has been resolved (see Bug 1151270).
|
|
||
Comment 5•9 years ago
|
||
(In reply to Cykesiopka from comment #3) > FWIW, I don't think that any code changes have actually been made to do this ... at this point.
|
|
||
Comment 6•9 years ago
|
||
It's been nearly a month without a response to the needinfo request, so I'm going to assume that my theory in comment 4 was correct. With regards to comment 3, restricting CNNIC to a whitelist was done in Bug 1151512, which landed more than a week after this bug was filed.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(c.levin)
Resolution: --- → DUPLICATE
Summary: secure connection failed on trusted chinese website, e.g., https://www.firefox.net.cn/ → secure connection failed on www.firefox.net.cn due to issues with StartCom OCSP responders
|
|
||
Updated•9 years ago
|
Component: Untriaged → Security: PSM
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 39 Branch → unspecified
You need to log in
before you can comment on or make changes to this bug.
Description
•