Closed Bug 694747 Opened 14 years ago Closed 6 years ago

ocsp-revocation is ignored even with about:config set to require it

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
Firefox 6
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mozilla, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20111001180102 Steps to reproduce: I accessed https://ch.indymedia.org/ (by typing the address into the url-bar and later by using the history to quick select) Additional infos: a friend of mine had trouble access, and we found that this sites cert was revoked (due to political reasons). Testing with openssl: openssl ocsp -issuer /etc/ssl/certs/cacert.org.pem -CAfile /etc/ssl/certs/cacert.org.pem -serial 0x097A25 -host ocsp.cacert.org:80 Response verify OK 0x097A25: revoked This Update: Oct 15 07:36:32 2011 GMT Next Update: Oct 15 08:20:47 2011 GMT Revocation Time: Jun 2 08:18:47 2011 GMT My friends firefox was set to use ocsp, which then denied ssl access as the cert is revoked (imo correct behavior). while searching for the cause i tried access https://ch.indymedia.org/ from my htc android with fennec, and it loaded without any warning (i used mobile network and different WLAN to ensure this is not a network problem, however, due to the smart-phone-nature of fennec, i was not 100% able to verify, that this is not related to https://bugzilla.mozilla.org/show_bug.cgi?id=540428, i just don't know how to verify that from the phone itself for sure) I checked the about:config and found 2 settings: security.OCSP.enabled 1 security.OCSP.require false (i too tried with security.OCSP.require true, same result) PS: I have set the "Security" flag to this bug. I do not think this is a issue for LOT people, however, seeing the recent diginotar hack and (maybe) iran gov usage of them, this could actually be a problem for people in such countries who use smart-phones and maybe rely on OCSP. PPS: Actually, the certificate for that website looks broken to me, still a warning would be nice. PPPS: this is on HTC fennec 4.0.1, i did not found this in the version drop-down on the bug-tracker (only fennec1.1 is there), i did "check for updates" in the about:firefox and it told me "no updates available". The full Info in about:config is: Mozilla/5.0 (Android; Linux armv7I; rv:2.1.1) Gecko/20110415 Firefox/4.0.2pre Fennec/4.0.1 My addons are the default search addons (google, amazon(disabled), twitter(disabled), wikipedia). I had the mobile noscript addon installed, but removed that for testing. Actual results: the site loaded and no warning was issued even when set security.OCSP.require to true. Expected results: at least a warning that this ssl-cert is revoked or borked in some way.
As far as I can see this site's cert should never work in any version of firefox -- it does not serve intermediates, and chains to a CA Firefox does not trust. OCSP really doesn't come into it.
Group: core-security
Version: Firefox 4.0 → Firefox 6
Did you add a (permanent) certificate error override in order to get the site to work initially? If so, then the way our certificate overrides work will bypass the OCSP requirement. Basically, certificate error overrides do not work with the "require OCSP" setting.
(In reply to Brian Smith (:bsmith) from comment #2) > Did you add a (permanent) certificate error override in order to get the > site to work initially? If so, then the way our certificate overrides work > will bypass the OCSP requirement. Basically, certificate error overrides do > not work with the "require OCSP" setting. How do I check for certificate-overrides in Fennec?
I am getting the Untrusted certificate page every time I try on both Nightly Native and XUL 2012-04-03. Seeing as there is no restriction for me to access this I can't test any further. Can you try a clear profile on the latest Beta and check if you get the certificate error? I tested on Motorola Droid 2 ( Android 2.3) and Motorola Droid Pro ( Android 2.3)
Closing all opened bug in a graveyard component
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.