Error Trying to Validate Certificate Using OCSP - Directory Lookup Error

RESOLVED INVALID

Status

Core Graveyard
Security: UI
--
major
RESOLVED INVALID
14 years ago
a year ago

People

(Reporter: Richard E. Whitehouse, Jr., Unassigned)

Tracking

Other Branch
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-noi], URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6b) Gecko/20031208
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6b) Gecko/20031208

Trying to download latest release of J2SE (V1.4.2_03) from Java web site and get
the error message specified in "Actual Results" section when I click the
"download" link for J2SE V1.4.2_03 SDK on the "Download Java 2 Platform, ..." page.

Reproducible: Always

Steps to Reproduce:
1. Go to http://java.sun.com/j2se/1.4.2/download.html
2. Scroll down to the "Download J2SE V1.4.2_03" section.
3. Click the "download" link in the SDK column of the first row (32-bit/64-bit
for Windows/Linux/Solaris SPARC 32-bit for Solaris x86).


Actual Results:  
Error dialog appears with the following message:

Error trying to validate certificate from jsecom16.sun.com using OCSP -
directory lookup error.


Expected Results:  
Next page displays in which user accepts or declines license agreement.

I am using the Sky Pilot Classic Trunk theme, but is also occurs with the
default theme.

I have successfully downloaded previous versions of the SDK from this site
previously using an earlier version of Mozilla.

Comment 1

14 years ago
I am experiencing the same problem.  Experienced it earlier on Moz1.6 with the
J2EE download, and also on this link:
https://www.sun.com/corp_emp/zone/build.cgi
It gives error: "Error trying to validate certificate from www.sun.com using
OSCP - directory lookup error"

Always reproduceable.  Experienced on 1.6final win32 and the 20040127 nightly.
*** Bug 241016 has been marked as a duplicate of this bug. ***

Comment 3

14 years ago
I think I get this error intermittently checking for mail with comcast also.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Sorry folks, this is not a bug in mozilla.  
This is proper mozilla behavior.

The problem is that the certificate for these sun http web sites gives 
the following URL for its OCSP server:
     http://va.central.sun.com
and DNS directory lookups on that host name fail.
Try it for yourself.  Do this:
     nslookup va.central.sun.com
or
     ping va.central.sun.com

So, the "bug" here is that sun is using certs on their public https 
servers that refer to an OCSP server that sun has not listed in their
public DNS server.  You should contact Sun about their error.

We can either mark this bug invalid, or turn it into a bug about the
text of the error message.  "DNS lookup error" would be more clear, IMO
than "directory lookup error". 

Question to the submittor and other commenters in this bug:
Would "DNS lookup error" have made the problem any more clear to you?
If not, suggest another phrase that would.

Comment 5

14 years ago
I would like the option of being abloe to ignore the warning and still download
the software! Why does Mozilla just quit?

Comment 6

14 years ago
Nelson,

va.central.csun.com is an internal site. I don't know the contact person to get
this fixed on the public site.

James,

You could disable OCSP checking and that should allow you to download the software.

Comment 7

14 years ago
I could disable OSCP, but then I have no checking. I think the correct action is
to check and be notified if there is a problem and then be given a choice of
whether to accept the site.

Comment 8

14 years ago
I am getting the same error, while trying to access gmail.google.com. Following
the message, the login page loads but the box with the login fields
(name/password) is empty. I tested this again with the latest nightly build with
Firefox on W2K.

I wonder if this has anything to do with the fact that I'm behind a company
firewall? Is there any way I can find out what exactly is Firefox trying to
access that can not be reached?

As for the message test, I think that using DNS/OCSP are technical terms, that a
regular user will not udnerstand, and the message also does not specify what
exactly the user can do to rectify the error (if possible). I do not know if
Mozilla/Firefox have any usability style guide but you can look at Gnome's:

http://developer.gnome.org/projects/gup/hig/2.0/language-errors.html

I think something like this would be better:

<B>Security certificate could not be validated, so items on this page may not
display/behave correctly</b>
You might want to report this error to the webmaster of the site you try to
visit. The error is: Certificate validation using OCSP failed - Directory Lookup
Error, site address is ~whatever~

If there can be a way to allow this message to be copied to the clipboard it
would be great, so that the user won't have to copy it manually.

(btw this is a general comment - maybe such errors need to be accessible via
Tools/View errors).

Comment 9

14 years ago
Small update:

I deleted the old profile and now I don't get the message any more. Might have
been some compatibility problem with an older profile. If it's possible to
identify such situations and reset the profile sections that affect it without
deleting the old profile it will be great.

Comment 10

13 years ago
With regards to the wording and options....

IE says

"Revocation information for the security certificate for this site is not
available.  Do you wish to proceed?"  YES / NO

Updated

13 years ago
Assignee: kaie → nobody

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

12 years ago
Whiteboard: [kerh-noi]

Comment 11

12 years ago
Using XP, an automatic update installed this afternoon, and ever since I get the message "Error trying to validate certificate from website (mypointsgames.com - login, and citibank.com - login) using OCSP - server is busy try again later." when trying to login to these sites.  However, when using Internet Explorer (yuk) I am able to access them without incident.

Comment 12

12 years ago
Mark,

In response to comment 11, this OCSP error had nothing to do with any windows update. I got it on Solaris too. I believe an actual OCSP server (probably Verisign) was down today.

Comment 13

12 years ago
I removed the Automatic Update 'Security Update for Windows XP (KB913580)' and as it was uninstalling it told me that Mozilla Firefox may not operate properly if I uninstall it.  However, whatever damage it has done to Firefox seems to be permanent.  I've reinstalled Firefox to no avail.

Also, Bankofamerica.com has a different message when trying to login:
Error establishing an encrypted connection to sitekey.bankofamerica.com Error Code -8048

I am able to use these sites on my XP Laptop that has not had the Security Update mentioned above installed.

Comment 14

12 years ago
(In reply to comment #13)
> Also, Bankofamerica.com has a different message when trying to login:
> Error establishing an encrypted connection to sitekey.bankofamerica.com Error
> Code -8048

Does this error go away when you turn off OCSP?


Comment 15

12 years ago
According to Nelson in comment 4, and I agree, being unable to contact a ocsp responder, mentioned on a public site, but protected behind a firewall, is not a bug in Mozilla. I'm closing this as invalid.

James, in comment 5 you propose there should be a way to continue after an ocsp verification failure. This is bug 151271.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
(Assignee)

Updated

a year ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.