User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 'm trying to get the Firefox browser to check client certificates via OCSP to a Tumbleweed OCSP Responder. I can see the browser make a query to the Responder, and see that the Responder accepts the request and issue a response (with the proper status). Firefox, however, is not happy with the response, and spits out a generic "8182" error which seems to indicate that it could not verify the signature on the response. I have tried directly adding the responder's signing certificate into Firefox's certificate stores, as well as just having the browser trust the issuing CA of the responder cert - without any change in behavior. Anybody know what I could be missing? Do I have to get my responder cert issued off a CA that Firefox trusts as a "built-in" CA - one that Firefox is compiled with and pre-configured to trust? Or can I just add my own CA certificate as a "software token" that the browser can be configured to trust? Reproducible: Always Steps to Reproduce: 1.Configure a Responder with a self signed certificate, or a delegated certificate issued off a local CA [not trusted within the browser's trust database] 2.Add the responder's self-signed certificate, or the issuing CA's certificate into the browser's trust database 3.Invoke validation by visiting a secure site over SSL Actual Results: Error code of -8182 returned, and browser refused to display page of secure server Expected Results: Brower should have been able to verify response from the OCSP responder.
This sounds more like a call for help than a bug. Try the newsgroups forums from http://www.mozilla.org/support/#community -- for this case the netscape.public.mozilla.crypto newsgroup. All the filed bugs that mention this error code (except bug 249004) ended up INVALID or WORKSFORME so it sounds like it's fairly common people set this stuff up wrong when they try to make their own certs. https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=product&type0-0-0=substring&value0-0-0=8182&field0-0-1=component&type0-0-1=substring&value0-0-1=8182&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=8182&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=8182 If the n.p.m.crypto guys confirm the bug have them reopen this with better technical details of the flaw.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Component: Security → Libraries
Product: Firefox → NSS
Resolution: --- → INVALID
It would help if the reporter could supply, as attachments to this bug: - a CA cert to trust in the browser - an OCSP cert - a internet-facing website with appropriate SSL cert.
More information sent to me by reporter: http://ocsp.disa.mil/ - welcome page and also port that OCSP queries are sent to. http://ocsp.disa.mil/~stats - stats page http://ocsp.disa.mil/getvaconfig?ocsp -- to fetch the configuration information, which returns back to Desktop Validator the self-signed certificate or CA delegated certificate. And... This cert below is both the OCSP responder certificate and the CA certificate for the purpose of validation of the signed OCSP response. It should be handled in a similar way to directly trusted SSL sites. -----BEGIN CERTIFICATE----- MIICnTCCAgagAwIBAgIBADANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJ1czEL MAkGA1UECBMCVFgxFDASBgNVBAcTC1NhbiBBbnRvbmlvMRMwEQYDVQQKEwpBRiBQ S0kgU1BPMQ0wCwYDVQQLEwRVU0FGMSYwJAYDVQQDEx1odHRwOi8vdXNhZm9jc3Au c2F0eC5kaXNhLm1pbDAeFw0wMzA3MjQxNTE1MzRaFw0wNjA5MTExNTE1MzRaMHwx CzAJBgNVBAYTAnVzMQswCQYDVQQIEwJUWDEUMBIGA1UEBxMLU2FuIEFudG9uaW8x EzARBgNVBAoTCkFGIFBLSSBTUE8xDTALBgNVBAsTBFVTQUYxJjAkBgNVBAMTHWh0 dHA6Ly91c2Fmb2NzcC5zYXR4LmRpc2EubWlsMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDBaP+xid/31h4E3ZznnXjH/i+pYJy8RPxKbAtrRijssMeYkAYNMiov c9IzXTvRnRxLqgylW+t/nVoDq49r5RTvunpIrGApy4YN601guhltHkjxUzgyH8Rb O8l8Ub1RDgVDs6dHEfEL+Ile8ieHRVP68nsckv91YI1axLaSUgCgmQIDAQABoy8w LTAJBgNVHRMEAjAAMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDCTAN BgkqhkiG9w0BAQUFAAOBgQCO7T2QLkSnqnKb1vKRPxrHfxWqT7d24ZuoTliFPt5k 8Ic/bruiSseesfgyaIf96fw2htrA4CnsxwXYMkA2IVZxqWepV9d3oz76ZKz0q1wk aDglpHGGLZrxxvEIYSCjXwyiCFUvyfLXahnbQMdlVDxDJF7b3K2gNQRW9UVoBjg5 Nw== -----END CERTIFICATE----- I will look at this to determine if there is merit to reopen the bug.
Steve, I have been able to reproduce this problem with our CA and OCSP. re-opening this bug.
Assignee: dveditz → wtchang
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bob, could you take a look at this bug? Thanks.
Assignee: wtchang → rrelyea
Also working with tumbleweed OCSP with firefox. Problem is, no option given to continue on a website if OCSP is not available. ex: https://bugzilla.mozilla.org after requiring use of OCSP is selected "Error trying to validate certificate from bugzilla.mozilla.org using OCSP - unknown certificate" I don't see any option setting available for this to be only a warning instead of a stop alert
BTW, error -8182 is SEC_ERROR_BAD_SIGNATURE
Summary: OCSP signature verification issue - error 8182 → OCSP signature verification issue - error 8182 SEC_ERROR_BAD_SIGNATURE
See also bug 341004 which reports that error SEC_ERROR_BAD_SIGNATURE is the wrong error code to report for some OCSP and CRL revocation situations.
You need to log in before you can comment on or make changes to this bug.