Open Bug 645389 Opened 15 years ago Updated 3 years ago

indicate which server failed when encountering sec_error_ocsp_server_error errors

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows 7
Type:
defect

Tracking

()

People

(Reporter: timeless, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-backlog])

so, i just updated my firefox Build identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.2a1pre) Gecko/20110326 Firefox/4.2a1pre And i got: Secure Connection Failed An error occurred during a connection to mail.google.com. The OCSP server experienced an internal error. (Error code: sec_error_ocsp_server_error) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Note, my help menu has: Minefield Help Troubleshooting Information Submit Feedback... Restart with Add-ons Disabled... - Report Web Forgery... - About Minefield --- there is no item for reporting a problem with the site. expected results: 1. menu items should exist if referenced 2. there should be enough information about an ocsp error for me to do something
(In reply to comment #0) > An error occurred during a connection to mail.google.com. > The OCSP server experienced an internal error. > (Error code: sec_error_ocsp_server_error) Interesting. Are you still able to reproduce, or was it perhaps a transient problem? There are five places in security/nss/lib/certhigh/ocsp.c which possibly set SEC_ERROR_OCSP_SERVER_ERROR (http://mxr.mozilla.org/mozilla-central/ident?i=SEC_ERROR_OCSP_SERVER_ERROR), and from what I can tell, the first four don't necessarily imply that there was indeed an "internalError"-type OCSP response received from the server... they might simply indicate that we failed to set up an HTTP connection to the responder. Do you see any traffic to ocsp.thawte.com when this happens? Does http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQekgmqcTx5S8oekxoKYa0%2F0LpggwQUOzSacJFzsoobDPTpN82zcDKeGFQCEB8Z9t413WOhQpGK1SzAqxI%3D give you a response of about 1 KByte in size, or something else?
Maybe it would be helpful to indicate which server failed, but other than that there's not a whole lot Firefox can do in the face of failing OCSP responders (note that hard-fail is off by default, so users shouldn't even be seeing this unless they've modified about:config).
Component: Security: UI → Security: PSM
Priority: -- → P5
Summary: error message does not provide useful behavior for sec_error_ocsp_server_error for mail.google.com → indicate which server failed when encountering sec_error_ocsp_server_error errors
Whiteboard: [psm-backlog]
I just ran into this as well. Can this be added this soon? This is a huge annoyance for everyone trying to run Firefox in OCSP enforced mode since sadly many of the large SSL cert vendors seem to do a poor job at keeping the servers available, so there should be at least some basic info on whom to contact about it. Since I can't view the cert with an SEC_ERROR_OCSP_SERVER_ERROR, I can't tell which SSL cert vendor is responsible and therefore I can't contact them. (Site owners themselves are usually super unaware of this problem)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.