Closed
Bug 945961
Opened 11 years ago
Closed 9 years ago
Behavior during an OCSP failure does not match the preference description to treat the cert as invalid
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: kathleen.a.wilson, Unassigned)
Details
Attachments
(3 files)
Secure-Connection-Failed.png
In my Firefox preferences I have checked both of the Validation boxes:
- "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates."
- "When an OCSP server connection fails, treat the certificate as invalid."
According to the text for the second box, when OCSP fails I expect to get the regular "Untrusted Connection" error that I get when a certificate in the chain is invalid. (see attachment) The Untrusted Connection Error allows the user to see some technical details and add an exception.
However, when I do run into an OCSP failure with the above preferences set, I get a separate "Secure Connection Failed" error that doesn't allow me to add an exception. This is not consistent with the wording in the preference.
The only work-around is to go back to the preferences and un-check the box, then browse to the page, then go back to the preferences to re-check the box.
I want OCSP checking to be performed in most cases, and to get an error when it fails, but I know that some sites I want to browse to don't have OCSP correctly configured.
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
|
Reporter | |
Comment 3•11 years ago
|
||
Note that since there isn't a way to bypass the OCSP failure when OCSP hard-fail is turned on, regular users are turning off OCSP hard-fail (i.e. opting for the less-secure option in order to browse to the sites they want, because there is no other way for them to do so).
Here's an example (facebook)
http://www.jeriffcheng.com/firefox-sec-error-ocsp-server-error.html
|
|
Reporter | |
Comment 4•11 years ago
|
||
Attaching another example.
|
|
Reporter | |
Comment 5•11 years ago
|
||
I've been receiving more emails from people running into this, and have been running into it more frequently myself. So I think that as we are tightening up OCSP (things like reducing the time allowed), we are seeing more OCSP failures, and those of us who want OCSP to be checked don't have a reasonable way to do that and still be able to over-ride the error when we are confident it's OK to do so.
|
||
Comment 6•9 years ago
|
||
Kathleen, turning on OCSP hard-fail isn't really a supported configuration any longer (we removed the option from preferences - it's only modifiable via about:config). Is this still a concern?
Flags: needinfo?(kwilson)
|
|
Reporter | |
Comment 7•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> Kathleen, turning on OCSP hard-fail isn't really a supported configuration
> any longer (we removed the option from preferences - it's only modifiable
> via about:config). Is this still a concern?
This is no longer a concern for me, so I will close this bug.
I don't test by using OCSP hard-fail anymore. Now I use http://cert-checker.allizom.org/ and https://certificate.revocationcheck.com/ to test.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(kwilson)
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•