Closed Bug 299425 Opened 19 years ago Closed 18 years ago

Reports "Error trying to validate certificate using OCSP - directory lookup error" when set to only use OCSP to validate certs which provide OCSP service URL when certificate does not provide OCSP service URL

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: rossmdummy, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050628
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050628

I have the browser set to validate certs using OCSP only when a cert provides an
OCSP service URL. When I go to https://bugs.acm.jhu.edu, I get a dialog
displaying  "Error trying to validate certificate from bugs.acm.jhu.edu using
OCSP - directory lookup error." The certificate for bugs.acm.jhu.edu does not
specify an OCSP service URL so the cert should not be validated using OCSP
according to my browser configuration.

Reproducible: Always

Steps to Reproduce:
1. Go to Mozilla|Preferences|Privacy & Security|Validation
2. Click on "Use OCSP to validate only certificates that specify an OCSP service
URL"
3. Click OK.
4. Go to https://bugs.acm.jhu.edu

Actual Results:  
I get a dialog displaying  "Error trying to validate certificate from
bugs.acm.jhu.edu using OCSP - directory lookup error."

Expected Results:  
The browser should have examined the certificate, found no OCSP service URL
present, and then displayed the page.
(In reply to comment #0)
> Expected Results:  
> The browser should have examined the certificate, found no OCSP service URL
> present, and then displayed the page.

Related to Core bug 151271?
(In reply to comment #1)
> (In reply to comment #0)
> > Expected Results:  
> > The browser should have examined the certificate, found no OCSP service URL
> > present, and then displayed the page.
> 
> Related to Core bug 151271?

They're "related", but they are separate problems.  Bug 151271 is about when
OCSP validation fails for certificates that *provide* an OCSP URL.  This bug is
about Mozilla choosing to do OCSP validation when a certificate has no OCSP URL.

Fixing this bug wouldn't fix bug 151271, and vice versa.  Also, fixing bug
151271 would let users make insecure choicses.  Fixing this bug would allow
users to make *secure* choices rather than blocking them incorrectly.
This problem is also present in Firefox 1.0.6
I have some problem similar to this bug with Mozilla 1.0.7.
   I am accessing the webserver with URL (https://www.abc.com)  via SSL. The SSL certificate for the websever is issued for the common name www.abc.com. 
   But the commonname www.abc.com is not registered wiht ISP.  As we are not accessing this publicly, we access it only internally inside the local network.
So we made entry (in the desktop) in the HOSTS file 
   123.12.12.4    www.abc.com 
and tried accessing with the URL https://www.abc.com. On IE it prompted message
that certificate is not verified and continued., but in Mozilla it prompted the message 
  "The connection to www.abc.com has terminated unexpectedly. Some data may have been transferred."
    and didnot proceed ( as IE did ). 
I have selected "Donot user OCSP for certificate validation" , under Advanced-validations.
  When I chose "Use OCSP to validate only certificated that specify an OCSP service URL", I get "Error trying to validate certificate from www.abc.com using OCSP - directory lookup error".

   ********* Is there any updates for this or fixes .**********
This bug is OS and hardware independent, so someone with the authority to change the status of those fields should do so.  The bug is present in Seamonkey/1.0.5 as well as Firefox/1.5.0.7.  I think the status of this bug should be escalated to "blocker" because it entirely blocks the browser from accessing sites to which this bug applies.

The appropriate resolution would be to display a warning and allow the user to decide whether or not to proceed, similar to the handling of other security warnings.
OS: Mac OS X 10.2 → All
Hardware: Macintosh → All
Assignee: dveditz → nobody
Component: Security → Libraries
Product: Core → NSS
QA Contact: toolkit → libraries
Version: Trunk → unspecified
In comment 0, the reporter wrote:
> The certificate for bugs.acm.jhu.edu does not specify an OCSP service URL 
> so the cert should not be validated using OCSP according to my browser 
> configuration.

The cert from that server does indeed bear an OCSP service URL:

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ocsp.ipsca.com/"

However, that server name does not resolve for me.  In my opinion, the 
issuer of this certificate has done its customer a disservice by issuing 
a cert with a non-existant OCSP responder name.  I would advise the 
subject of that cert to request a new cert from that issuer (or another),
one that has either a working OCSP URL or no OCSP URL.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.