881901 - stopwatching.us OCSP failures

Status: RESOLVED FIXED

(Websites :: Other, defect)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

With security.OCSP.requre set to true, visiting https://optin.stopwatching.us/ gives a revoked certificate error (even though it looks like the responder is giving out a "good" status).

Comment 1

[Kathleen Wilson]

The error I see is:
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)

https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
"Error code: sec_error_ocsp_invalid_signing_cert
- OCSP response signer's certificate was issued by the CA that issued the certificate whose status is being checked, but the response signer's certificate does not bear an ExtendedKeyUsage extension with the OCSP Responder OID, or
- OCSP response signer's certificate chain does not validate (e.g. expired, or bad signature, etc.)
- Trusted OCSP Responder Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See Potentially Problematic Practices.

Comment 2

[Camilo Viecco (:cviecco)]

Attachment: network trace of ocsp_response

The actual error is bad signature.

Comment 3

[Camilo Viecco (:cviecco)]

OCSP responder cert is expired. (note the trace, invalid since june 1 2013).

Comment 4

[Kathleen Wilson]

(In reply to Camilo Viecco (:cviecco) from comment #3)
> OCSP responder cert is expired. (note the trace, invalid since june 1 2013).

Brian, Looks like a Trustwave customer.

Comment 5

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

This seems to be resolved now, right?

Comment 6

[Kathleen Wilson]

Correct, the OCSP Responder cert was fixed. I have also been following up with Brian (btrzupek@trustwave.com) in email regarding their monitoring of their OCSP service. But that doesn't require a Bugzilla bug, so I'll close this bug.