Closed Bug 589629 Opened 10 years ago Closed 6 years ago

Verisign OCSP responder says "unauthorized request" for apparently valid SSL server cert


(Web Compatibility :: Desktop, defect, major)

Windows XP
Not set


(Not tracked)



(Reporter: nelson, Unassigned)




With strict OCSP enabled, go visit either of these AT&T web aite URLs:,ACCTMGR

Expected result: an https web page from AT&T
Actual result: 

> Secure Connection Failed
> An error occurred during a connection to
> The OCSP server has refused this request as unauthorized.
> (Error code: sec_error_ocsp_unauthorized_request)
> The page you are trying to view can not be shown because 
> the authenticity of the received data could not be verified.

The cert for is within its validity period.
Its cert chain's signatures all check out OK.
Oh, I tried and tried to find ways to report this to Verisign this weekend,
in hopes that they could "kick" the responder.  No joy.
Seems to work for me. No issues.
Maybe they have multiple responders serving separate geographical areas,
and they give different results.
The OCSP request sent looks like this (pretty printed):

TBS Request:
    Version: DEFAULT
    No Requestor Name.
    Request 0:
        Cert ID:
            Hash Algorithm: SHA-1
            Issuer Name Hash:
            Issuer Key Hash:
            Serial Number:
        No Single Request Extensions
    No Request Extensions
No Signature

Or, in hex:

       30 51   30 4F   30 4D   30 4B   30 49   30 09   06 05   2B 0E
       03 02   1A 05   00 04   14 C0   FE 02   78 FC   99 18   88 91
       B3 F2   12 E9   C7 E1   B2 1A   B7 BF   C0 04   14 0D   FC 1D
       F0 A9   E0 F0   1C E7   F2 B2   13 17   7E 6F   8D 15   7C D4
       F6 02   10 2F   1B 3A   10 E4   D5 EC   BF A8   56 3A   76 94
       3D DE   E5

The entire response I get is these 5 bytes (shown here in hex):

       30 03   0A 01   06
PING ( 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
--- ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
Assignee: english-us → nobody
Closed: 6 years ago
Component: English US → Desktop
Resolution: --- → INVALID
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.