Open
Bug 1380420
Opened 8 years ago
Updated 3 years ago
Improve the MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error message
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: warp9pnt9, Unassigned)
Details
(Whiteboard: [psm-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0.2 Waterfox/52.0.2
Build ID: 20170412235751
Steps to reproduce:
Enter site in location bar: https://www.beamdog.com/
Actual results:
Mozilla Firefox error page (below).
Secure Connection Failed
An error occurred during a connection to www.beamdog.com. The OCSP response does not include a status for the certificate being verified. Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Expected results:
Web site should have loaded HTML page and all dependencies.
Don't know scope of problem so marking Security as a precaution.
Contacted website support and was told to (paraphrased):
Use another browser as my trust is Mozilla is unwarranted and not based in reality, and that they would [presumably based on dismissive position] take no steps to diagnose or make any attempt whatsoever to resolve on their end (server/certificates).
I found that somewhat offensive and rather unhelpful and uncooperative in terms of figuring out what the problem is.
If anyone can shed light on further diagnostic steps, determine if this bug is a duplicate, a regression, etc, it would be much appreciated.
|
||
Comment 2•8 years ago
|
||
This doesn't need to stay hidden.
Jonathan, do you know what's up here? Is there a malformed stapled OCSP response or something?
Group: firefox-core-security
Flags: needinfo?(jkt)
|
||
Comment 3•8 years ago
|
||
The server is misconfigured. It's stapling an OCSP response for a certificate with serial number 15569252438517523351 while the certificate being used by the server has the serial number 1866525106972119737.
|
||
Comment 4•8 years ago
|
||
Bowing to :keeler and others like mgoodwin or ttaubert who will likely know much more than I.
I will say however this looks like a candidate for an improved error message though, closer to what Keelers comment was.
Flags: needinfo?(jkt)
|
|
||
Comment 5•8 years ago
|
||
It would be great to be able to give a more informative message like comment 3, but there's a lot of engineering work between here and there (basically, this relies on a full implementation of a js x509/ocsp/etc. decoder coupled with a linting kind of system and all the glue to get the appropriate information from the backend to the about:certerror page).
Priority: -- → P3
Whiteboard: [psm-backlog]
|
||
Comment 6•7 years ago
|
||
Dana, does this still happen? Thanks
Or can we just wontfix it?
Flags: needinfo?(dkeeler)
Summary: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING → Improve the MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error message
|
|
||
Comment 7•7 years ago
|
||
The work hasn't been scheduled, but it's still something we'd like to do.
Flags: needinfo?(dkeeler)
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•