Open Bug 1639914 Opened 3 months ago Updated 1 month ago

SEC_ERROR_OCSP_SERVER_ERROR with most https websites when security.OCSP.require is set to true and a https .pac file is used


(Core :: Security: PSM, defect, P3)

76 Branch



Tracking Status
firefox78 --- affected


(Reporter: vincent-moz, Unassigned)


(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

  1. Start Firefox with a new profile (via "firefox -P").

  2. In Preferences → General → Network Settings, set "Automatic proxy configuration URL" and enter

  3. In about:config, toggle security.OCSP.require to true.

  4. Quit Firefox.

  5. Start firefox with the same profile.

  6. Open the URL or

Actual results:

I get a connection failure, e.g.

Secure Connection Failed

An error occurred during a connection to The OCSP
server experienced an internal error.


Expected results:

I should get the web page.

Note: If I download and use the local version (with a "file:" URL) instead of the https URL, and restart Firefox, then everything works fine!

Note: This .pac file contains a FindProxyForURL function that returns a proxy for some particular domains (not including, and this proxy requires an authentication. But with the above test, the function should always return "DIRECT". And indeed, its use as a "file:" URL shows that everything is OK.

I was able to reproduce this issue on latest Nightly version 78.0a1 (2020-05-28) on Ubuntu 18.04. I'll change flags accordingly.

Component: Untriaged → Security: PSM
Ever confirmed: true
Product: Firefox → Core

If you wait a bit for the pac to load before loading google/bugzilla, does it work?

Flags: needinfo?(vincent-moz)

It doesn't: If I wait 1 minute after starting Firefox, I get the error. And if I wait another minute before loading another web page, I still get an error.

Flags: needinfo?(vincent-moz)

From what I can tell, the proxy auto-config never seems to think it's done, so the call to GetIsPACLoading in always returns true, so DoOCSPRequest always returns an error.

Component: Security: PSM → Networking

Nhi, can you fine someone to look into this?

Severity: -- → S3
Flags: needinfo?(nhnguyen)
Priority: -- → P2
Whiteboard: [necko-triaged]
Assignee: nobody → honzab.moz
Flags: needinfo?(nhnguyen)

We are killing the PAC request (it's HTTPS) because we are trying to do OCSP for it. This is a known bug, actually.

2020-06-28 17:39:36.738 ⁃ nsHttpChannel ⁃ 1de6f3de000 ⁃ released ⁃ status=805a1f87 ⁃ http-status=n/a ⁃ url=


I think the proper fix is to have a flag on the PAC channel to go with a separate connection that will bypass OCSP even when forced by the pref. This is for a non-standard pref value in PSM.

I'm moving back to PSM and lowering the priority, although, some of the work may actually happen in Necko, too.

Component: Networking → Security: PSM
Priority: P2 → P3
Assignee: honzab.moz → nobody

I think in CertVerifier::VerifyCert we should have propagate the information if this is bound to a PAC request or not.

 	xul.dll!mozilla::psm::CertVerifier::VerifyCert(0x000001a512847820, 2, {...}, 0x000001a51286d6a0, 0x000001a50b8799e8, {...}, 0, {...}, {...}, {...}, {...}, 0x000000451170ee6c, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0) Line 533	C++
 	xul.dll!mozilla::psm::CertVerifier::VerifySSLServerCert({...}, {...}, 0x000001a51286d6a0, {...}, {...}, 0, {...}, {...}, {...}, {...}, {...}, , 0x000000451170f074, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0, 0x000000451170f03f) Line 928	C++
 	[Inline Frame] xul.dll!mozilla::psm::`anonymous namespace'::AuthCertificate(, 0x000001a51286d6a0, {...}, {...}, {...}, {...}, {...}, {...}, {...}, 247141464, {...}, 247141440, , , , ) Line 1108	C++
>	xul.dll!mozilla::psm::SSLServerCertVerificationJob::Run() Line 1306	C++
 	xul.dll!nsThreadPool::Run() Line 301	C++

You need to log in before you can comment on or make changes to this bug.