158818 - (ocsp8063) ocsp validation gives 8063 error

Status: VERIFIED INVALID

(Core Graveyard :: Security: UI, defect, P2)

Description

[Kumar Valendhar]

From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; SunOS 5.6 sun4u)
BuildID:    2002052306

After enabling OCSP validation in Mozilla by selecting the option to contact the
OCSP responder specified in the AIA extension of the certificate, the browser
gives the -8063 error on contacting the ocsp responder.

Reproducible: Always
Steps to Reproduce:
1.Use the browser to validate a server certificate through a OCSP responder
2.
3.

Actual Results:  The browser gives the error
Error trying to validate certificate from
insn046a.idc.oracle.com using OCSP - currupted or unknown response. Error code
8063

Expected Results:  The browser should have either
-established a https connection to the site if the certificate was valid
-Given a explicit invalid/unknown certificate message

Comment 1

[benc]

->PSM

Comment 2

[John Unruh]

qa > junruh

Comment 3

[Stephane Saux]

176 SEC_ERROR_OCSP_MALFORMED_RESPONSE           =   (SEC_ERROR_BASE + 129)

If the ocsp response is invalid, and you've chosen to use OCSP, then the correct
thing to do is give that error. The cert is not valid if we can't establish that
it is valid.  Unknown would mean that there isn't an AIA extension in the cert.
If there is one, we must treat it as expecting a valid response.  Otherwise
you'd be able to defeat ocsp.

The current results are expected.
this bug is invalid.

Comment 4

[John Unruh]

V

Comment 5

[Stephane Saux]

cc julien to comment on what triggers NSS to report a malformed OCSP response.

Comment 6

[Julien Pierre]

20020523 is a really old build. OCSP fixes were made a long time ago. Please
pick up a recent build and try again.

See bugs http://bugzilla.mozilla.org/show_bug.cgi?id=130885 and
http://bugzilla.mozilla.org/show_bug.cgi?id=141256 .