581625 - When Internet Connection is Disabled, Ignore OCSP

Status: NEW

(Core :: Security, enhancement)

Description

[David E. Ross]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11) Gecko/20100701 SeaMonkey/2.0.6
Build Identifier: 

I downloaded an addon from addons.mozilla.org but could not install it.  Instead, I got an error popup about "Signing could not be verified."  

That problem was caused by a combination of three concurrent situations.  First, it is my practice to disable my Internet connection during installations to avoid extraneous activities (e.g., resynchronizing my PC clock to external time servers).  Second, the addon was signed.  Third, I had checked the Validation Preference checkbox for "When an OCSP server connection fails, treat the certificate as invalid".  I was able to install the addon by either enabling my Internet connection or clearing the checkbox.  

Obviously, with no Internet connection, all OCSP server connections fail.  Such failures should be ignored when running an application offline.  

Reproducible: Always

Comment 1

[David E. Ross]

Attachment: Image of Error Popup

Attachment shows the error popup I got when my Internet connection was disabled and the Validation Preference checkbox was checked for "When an OCSP server connection fails, treat the certificate as invalid".  Note that the content of the popup fails to indicate any OCSP problem.  This vague description of a problem with an SSL certificate is quite common; other error popups are equally vague.