Firefox is enforcing OCSP must staple and websites no longer work
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: nigelh747, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Steps to reproduce:
This issue is with Firefox and Firefox Fenix
With Firefox 118 the OCSP Staple parameter in SSL Certificates is now being enforced.
Whereas current Chrome and Safari browsers are not enforcing this
Actual results:
Firefox error that the site has a security issue that is NOT over-rideable in Fenix release
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
and can be over-riden in about:config
security.ssl.enable_ocsp_must_staple =FALSE
Expected results:
Mozilla should either allow the user to override the issue OR wait to make the release to the same time as Safari and Chrome enforce the setting
I have raised this against Firefox but it also occurs with Firefox for Android and also with Firefox focus
All BROKEN with release 118 with the user unable to access multiple websites that have OCSP staple in their SSL certificates set and its not supported (or configured) with their infrastructure!
This change in behaviour is not in the Release Notes and has broken sites that have the OCSP stapling set to true while the server doesn't match the certificate or support it.
While most issued certificates have this setting disabled, the fact that Firefox is enforcing it's position, whereas other browsers are not and users are on Android not even able to bypass the position is terrible.
I have had to reach out to at least one website owner to get him to regenerate his certificates to disable the feature.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 3•1 year ago
|
||
What sites aren't working for you?
Description
•