Closed Bug 331336 Opened 17 years ago Closed 17 years ago

Certificate import fails without any notification/warning if OCSP URL contains https

Categories

(Core :: Security: PSM, defect)

1.8 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 310446

People

(Reporter: hauser, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

For Thunderbird and Firefox, if OCSP is enabled and a certificate contains an OCSP URL with https, an import fails without any notice or warning.

This is a nasty denial of service situation for poor users often struggling with PKI already anyway...

Reproducible: Always

Actual Results:  
nothing happens

Expected Results:  
at least an intelligible warning should be issued

The easiest is probably to just also support OCSP requests over https.
Depends on: 205436
Thunderbird resists on importing an OCSP certificate with an invalid timestamp, but doesn't inform the user.

This has been reproduced several times on different OS'es (Linux 2.6.14-gentoo-r7 & Windows XP SP2) both using Thunderbird Version 1.5 (20051201).

The OCSP-Server's date is set to any time in the future. When importing an OCSP certificate, thunderbird opens a connection to the server, tries to verify the certificate and fails. The certificate will not be imported and the user won't get any error message informing him about the error.
Can you please point us to such a cert?
Assignee: nobody → nobody
Component: Security → Build
Product: Firefox → NSS
QA Contact: firefox → build
Component: Build → Libraries
Blocks: 157555
Bug 310446 already proposes to give user feedback, when a user tries to import a cert, but the application decides to ignore it.

Cedric, this should handle your situation.

Ralf, your report also asks for user feedback, this will be done in bug 310446, too.

Your request to support OCSP over https is bug 205436.



*** This bug has been marked as a duplicate of 310446 ***
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Component: Libraries → Security: PSM
Product: NSS → Core
Resolution: --- → DUPLICATE
Version: unspecified → 1.8 Branch
a similar refusal to work with a certificate it does not like appears to be Bug 343717 (qc statement for qualified legally binding signatures)
You need to log in before you can comment on or make changes to this bug.