Closed
Bug 1151308
Opened 10 years ago
Closed 10 years ago
secure connection failed on www.firefox.net.cn due to issues with StartCom OCSP responders
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 1151270
People
(Reporter: c.levin, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150405004004
Steps to reproduce:
trying to visit www.firefox.com.cn , one of the most trusted firefox community in china for 10+ years
Actual results:
secure connection failed
Expected results:
page should display
I know Mozilla recently following Google in revoking CNNIC's certificate. I strongly urge mozilla do some real world test to see the fallout of this, and be very careful in doing this.
At minimum, there should be a button for "visit anyway" on the error page.
WFM with FF40. Did you test with a clean profile?
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Flags: needinfo?(c.levin)
|
||
Comment 3•10 years ago
|
||
(In reply to cris from comment #1)
> I know Mozilla recently following Google in revoking CNNIC's certificate. I
> strongly urge mozilla do some real world test to see the fallout of this,
> and be very careful in doing this.
>
> At minimum, there should be a button for "visit anyway" on the error page.
FWIW, I don't think that any code changes have actually been made to do this (although I might have just missed it).
|
|
||
Comment 4•10 years ago
|
||
WFM for me as well.
Note that the site actually uses StartCom certs: https://www.ssllabs.com/ssltest/analyze.html?d=firefox.net.cn
Was the exact error you encountered sec_error_ocsp_unknown_cert? If so, this was an issue with the StartCom OCSP responders that affected several (many?) sites, and has been resolved (see Bug 1151270).
|
|
||
Comment 5•10 years ago
|
||
(In reply to Cykesiopka from comment #3)
> FWIW, I don't think that any code changes have actually been made to do this
... at this point.
|
|
||
Comment 6•10 years ago
|
||
It's been nearly a month without a response to the needinfo request, so I'm going to assume that my theory in comment 4 was correct.
With regards to comment 3, restricting CNNIC to a whitelist was done in Bug 1151512, which landed more than a week after this bug was filed.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(c.levin)
Resolution: --- → DUPLICATE
Summary: secure connection failed on trusted chinese website, e.g., https://www.firefox.net.cn/ → secure connection failed on www.firefox.net.cn due to issues with StartCom OCSP responders
|
|
||
Updated•10 years ago
|
Component: Untriaged → Security: PSM
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
Version: 39 Branch → unspecified
You need to log in
before you can comment on or make changes to this bug.
Description
•