Closed Bug 794728 Opened 7 years ago Closed 5 years ago

Firefox may sometimes give the wrong error message for some expired certificates

Categories

(Core :: Security: PSM, defect)

x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1045739

People

(Reporter: briansmith, Unassigned)

References

()

Details

Attachments

(1 file)

See the blog post at http://unmitigatedrisk.com/?p=207.

The author claims that Firefox (sometimes) shows an unhelpful error "The OCSP responder refused this request as unauthorized" because we are doing revocation checking on an expired certificate, and the OCSP responder returns an "unauthorized" response.

However, when I tried it locally, I got an "expired" warning. It is possible that the problem is intermittent and/or that it happens in a non-default configuration.

The author suggests that we should not even attempt to do revocation fetching for an expired certificate.
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #0)
> The author suggests that we should not even attempt to do revocation
> fetching for an expired certificate.

Indeed, it doesn't make sense, in general, to do revocation checking for an expired certificate. insanity::pkix will fix this.
Depends on: mozilla::pkix
I fixed this with mozilla::pkix, and then I re-broke it again in mozilla::pkix. Now it is a dupe of that bug.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1045739
You need to log in before you can comment on or make changes to this bug.