Closed Bug 1856212 Opened 1 year ago Closed 1 year ago

Firefox is enforcing OCSP must staple and websites no longer work

Categories

(Core :: Security: PSM, defect)

Firefox 118
defect

Tracking

()

RESOLVED DUPLICATE of bug 1833337

People

(Reporter: nigelh747, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0

Steps to reproduce:

This issue is with Firefox and Firefox Fenix

With Firefox 118 the OCSP Staple parameter in SSL Certificates is now being enforced.
Whereas current Chrome and Safari browsers are not enforcing this

Actual results:

Firefox error that the site has a security issue that is NOT over-rideable in Fenix release

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
and can be over-riden in about:config
security.ssl.enable_ocsp_must_staple =FALSE

Expected results:

Mozilla should either allow the user to override the issue OR wait to make the release to the same time as Safari and Chrome enforce the setting

I have raised this against Firefox but it also occurs with Firefox for Android and also with Firefox focus

All BROKEN with release 118 with the user unable to access multiple websites that have OCSP staple in their SSL certificates set and its not supported (or configured) with their infrastructure!

OS: Unspecified → All
Hardware: Unspecified → All

This change in behaviour is not in the Release Notes and has broken sites that have the OCSP stapling set to true while the server doesn't match the certificate or support it.

While most issued certificates have this setting disabled, the fact that Firefox is enforcing it's position, whereas other browsers are not and users are on Android not even able to bypass the position is terrible.

I have had to reach out to at least one website owner to get him to regenerate his certificates to disable the feature.

Flags: needinfo?(ryanvm)
Group: firefox-core-security → crypto-core-security
Component: Untriaged → Security: PSM
Product: Firefox → Core
Flags: needinfo?(ryanvm) → needinfo?(dkeeler)

What sites aren't working for you?

Group: crypto-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1833337
Flags: needinfo?(dkeeler) → needinfo?(nigelh747)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.