Closed
Bug 1321273
Opened 8 years ago
Closed 8 years ago
OCSP error prevent to access the website - SEC_ERROR_OCSP_TRY_SERVER_LATER
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 1028534
People
(Reporter: rhubscher, Unassigned)
Details
When trying to access https://café-vie-privée.fr/ I get a SEC_ERROR_OCSP_TRY_SERVER_LATER which prevent me for accessing the website.
If I try with wget, curl or chromium I don't have any error.
I guess we should not block on OCSP error but rather fallback to the CRL file and then to a degraded SSL access but we should not prevent the user to access the website in that specific case.
|
||
Comment 1•8 years ago
|
||
I'm pretty sure that we don't default to strict OCSP enforcement. I can access the website in question fine on my default profile - but maybe the problem was intermittent? Did you check whether this was a result of strict settings you enabled?
(In reply to Rémy Hubscher (:natim) from comment #0)
> I guess we should not block on OCSP error but rather fallback to the CRL
> file and then to a degraded SSL access but we should not prevent the user to
> access the website in that specific case.
What is "degraded SSL access" ?
Component: General → Security: PSM
Flags: needinfo?(rhubscher)
Product: Firefox → Core
|
|
||
Comment 2•8 years ago
|
||
(See also e.g. bug 1028534 - Chrome doesn't do any OCSP checking which explains the different behaviour.)
|
Reporter | |
Comment 3•8 years ago
|
||
> I can access the website in question fine
Yes it is back as well on my side.
> What is "degraded SSL access" ?
Something that uses the SSL certificate to encrypt the connection but display a warning and a red or orange lock instead of the green one telling that the certificate revocation server couldn't be reached for instance.
Flags: needinfo?(rhubscher)
|
||
Comment 4•8 years ago
|
||
This can happen if the site staples an OCSP response that contains the "try later" code. We could definitely improve the UI of the error page, but we're probably not going to make this an overridable error.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•8 years ago
|
||
> but we're probably not going to make this an overridable error.
I don't understand why?
|
|
||
Comment 6•8 years ago
|
||
One reason is the specification requires it ( https://tools.ietf.org/html/rfc6066 bottom of section 8). My understanding is part of the aim of that requirement was to transition from soft-fail OCSP fetching (which is fairly useless from a security standpoint) to hard-fail opt-in to OCSP checks (via stapling, which still has some problems), that could then be augmented with some sort of expect-stapling mechanism, which would actually enable sites to opt-in to meaningful revocation checking.
You need to log in
before you can comment on or make changes to this bug.
Description
•