Closed Bug 1489411 Opened Last year Closed Last year
Stapled OCSP response with SHA256 used in Cert
ID causes MOZILLA _PKIX _ERROR _OCSP _RESPONSE _FOR _CERT _MISSING
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180807170231 Steps to reproduce: We have following setup: Firefox -> F5 Balancer -> Web Server Balancer is configured to terminate SSL connection and perform OCSP stapling. Actual results: When stapled OCSP response send by the balancer contained CertID constructed with SHA256, firefox rejected to connect with MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error despite the fact that stapled OCSP response was valid and correct. We then reconfigured balancer to use SHA1 instead of SHA256. When stapled OCSP response send by the balancer contained CertID constructed with SHA1, Firefox connected successfully. Expected results: It would be nice if Firefox could accept stapled OCSP response when the CertID is constructed with other hash algorithm than SHA1 (SHA256, SHA512 etc.)
Can you please tell where F5 Balancer can be found in Firefox? I am not sure if I can reproduce the issue. This bug looks like it could belong to the networking component, so I will mark it accordingly for further triage.
Component: Untriaged → Networking
Product: Firefox → Core
Currently only sha1 is supported in the CertID field.
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Resolution: --- → DUPLICATE
Duplicate of bug: 966856
You need to log in before you can comment on or make changes to this bug.