Closed Bug 1489411 Opened Last year Closed Last year

Stapled OCSP response with SHA256 used in CertID causes MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING

Categories

(Core :: Security: PSM, defect)

61 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 966856

People

(Reporter: jaroslav.imrich, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

We have following setup:

Firefox -> F5 Balancer -> Web Server

Balancer is configured to terminate SSL connection and perform OCSP stapling.


Actual results:

When stapled OCSP response send by the balancer contained CertID constructed with SHA256, firefox rejected to connect with MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error despite the fact that stapled OCSP response was valid and correct.

We then reconfigured balancer to use SHA1 instead of SHA256.

When stapled OCSP response send by the balancer contained CertID constructed with SHA1, Firefox connected successfully.


Expected results:

It would be nice if Firefox could accept stapled OCSP response when the CertID is constructed with other hash algorithm than SHA1 (SHA256, SHA512 etc.)
Can you please tell where F5 Balancer can be found in Firefox? I am not sure if I can reproduce the issue.

This bug looks like it could belong to the networking component, so I will mark it accordingly for further triage.
Component: Untriaged → Networking
Flags: needinfo?(jaroslav.imrich)
Product: Firefox → Core
Component: Networking → Security: PSM
Currently only sha1 is supported in the CertID field.
Status: UNCONFIRMED → RESOLVED
Closed: Last year
Flags: needinfo?(jaroslav.imrich)
Resolution: --- → DUPLICATE
Duplicate of bug: 966856
You need to log in before you can comment on or make changes to this bug.