Closed Bug 678610 Opened 13 years ago Closed 8 years ago

If SSL connections fail because of OCSP, show more details about the cause of the failure

Categories

(Core :: Security: PSM, defect)

7 Branch
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: KaiE, Unassigned)

References

(Depends on 1 open bug)

Details

Attachments

(1 file)

I've been running with "strict OCSP" for quite a while, and I've also enabled "NSS' libPKIX verification engine", which will perform additional OCSP checks (e.g. checking intermediate CA certificates).

I run into OCSP related failures several times a day.

The experience is frustrating and, in my opinion, is not yet ready for end users, because:
- I often get (temporary) OCSP server failures
- sometimes OCSP server failures are remembered as "revoked",
  even though it's (probably) just an OCSP server connectivity issue
- sometimes the NSS libpkix engine reports errors as "revoked",
  but it works after I restart the browsers
  (thereby flushing our OCSP cache)
- it's impossible to distinguish OCSP server failures from cert
  revocation
- it's impossible to know which OCSP server is causing the problems

Debugging/Analysis is difficult, because we don't report any details about OCSP failures.

I sometimes have to guess. Sometimes I have to do painful tracing of the libPKIX library.

In order to resolve this, we should at least dump more details into the error console.

I currently explore if the CERTVerifyLog contains sufficient information, and if yes, how to convert it to a summary for error messages.
Attached patch Patch v1Splinter Review
This patch is a first attempt to display details of verification failures in the error console.
Depends on: 678675
Depends on: 640892
I think the error codes reported by mozilla::pkix / certverifier are a bit more clear now. Feel free to reopen if they need further improvement.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: