stopwatching.us OCSP failures

RESOLVED FIXED

Status

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: keeler, Assigned: btrzupek)

Tracking

Details

Attachments

(1 attachment)

With security.OCSP.requre set to true, visiting https://optin.stopwatching.us/ gives a revoked certificate error (even though it looks like the responder is giving out a "good" status).

Comment 1

5 years ago
The error I see is:
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)

https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
"Error code: sec_error_ocsp_invalid_signing_cert
- OCSP response signer's certificate was issued by the CA that issued the certificate whose status is being checked, but the response signer's certificate does not bear an ExtendedKeyUsage extension with the OCSP Responder OID, or
- OCSP response signer's certificate chain does not validate (e.g. expired, or bad signature, etc.)
- Trusted OCSP Responder Signing cert has not been imported. Mozilla users should not have to find and install the OCSP responder's certificate. See Potentially Problematic Practices.
Created attachment 761168 [details]
network trace of ocsp_response

The actual error is bad signature.
OCSP responder cert is expired. (note the trace, invalid since june 1 2013).

Comment 4

5 years ago
(In reply to Camilo Viecco (:cviecco) from comment #3)
> OCSP responder cert is expired. (note the trace, invalid since june 1 2013).

Brian, Looks like a Trustwave customer.

Updated

5 years ago
Assignee: nobody → btrzupek
This seems to be resolved now, right?

Comment 6

5 years ago
Correct, the OCSP Responder cert was fixed. I have also been following up with Brian (btrzupek@trustwave.com) in email regarding their monitoring of their OCSP service. But that doesn't require a Bugzilla bug, so I'll close this bug.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.