Closed Bug 220974 Opened 21 years ago Closed 19 years ago

Preferences allows OCSP validation when behind firewall/proxy even though OCSP is not supported in this configuration


(Core Graveyard :: Security: UI, defect)

1.0 Branch
Not set


(Not tracked)



(Reporter: skjpope, Unassigned)



(Whiteboard: [kerh-coz])

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

The <Privacy & Security>/<Validation>/OCSP section allows users to select OCSP
validation, even when they are using a proxy server. (It appears that OCSP is
not supported in a proxy configuration, see NSS for details).

As a result, when logging into Hotmail (for example), users are presented with a
"mysterious" box that informs them that they could not establish an encrypted
session (Error code: -5933).

My suggestion is to modify the preferences (in the interim) to allow users to
specify that OCSP should be automatically disabled if Mozilla detects a
firewall/proxy that will prevent successful OCSP validation.

Reproducible: Always

Steps to Reproduce:
1. Enable OCSP validation in Preferences
2. Attempt to log on to Hotmail from behind a proxy server

Actual Results:  
Fails with a 5933 error code

Expected Results:  
OCSP should be automatically disabled if Mozilla detects a firewall/proxy that
will prevent successful OCSP validation.
This has nothing to do with the implementation of the prefs dialog; bugs in
individual panels should be assigned to the relevant components.
Assignee: bugs → ssaux
Component: Preferences → Client Library
Product: Browser → PSM
QA Contact: sairuh → bmartin
Version: Trunk → 2.4
My apologies.
Assigned the bug to Kai.
Assignee: ssaux → kaie
Ever confirmed: true
See also bug 111384, adding dependency.
Ideally, we'd fix 111384, and the inconsistency were gone.

I think we should NOT automatically disable OCSP when a proxy is configured.
Using OCSP is an additional level of security, which a user might choose to be
necessary. Although it's really inconvenient not to know what's going on, it's
better something doesn't work, than to break the security assumptions of the user.

You are asking for a temporary solution until the OCSP problem (bug 111384) gets

I would like to suggest to give an error message if PSM's SSL layer is asked to
initiate a SSL connection, but detects OCSP in combination with a proxy.

Also remember the proxy configuration allows "do not use a proxy for..."
exception. A user might not even require to use a proxy, but simply choose to
use a proxy for some hosts, and OCSP might still work, although a proxy is used
for some hosts.

I agree our behaviour is not good, but disabling the combination would break
some working environments.
Depends on: 111384
Blocks: 157555
This bug is not blocked by bug 111384.  
Rather it complains that the preference to enable OCSP remains enabled 
when behind a proxy.  
Fixing bug 111384 would obviate this bug, not enable it to be fixed.
No longer depends on: 111384
Assignee: kaie → nobody
Product: PSM → Core
Whiteboard: [kerh-coz]
I'm marking this as WONTFIX.
We really need to make OCSP work with proxies, and I hope that will be done really soon, see bug 111384.
Closed: 19 years ago
Resolution: --- → WONTFIX
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.