Closed Bug 945961 Opened 11 years ago Closed 8 years ago

Behavior during an OCSP failure does not match the preference description to treat the cert as invalid

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: kathleen.a.wilson, Unassigned)

Details

Attachments

(3 files)

Secure-Connection-Failed.png
44.26 KB, image/png
Details
Untrusted-Connection.png
78.36 KB, image/png
Details
OCSP-fail-etherpad.png
37.92 KB, image/png
Details 
In my Firefox preferences I have checked both of the Validation boxes:
- "Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates."
- "When an OCSP server connection fails, treat the certificate as invalid."

According to the text for the second box, when OCSP fails I expect to get the regular "Untrusted Connection" error that I get when a certificate in the chain is invalid. (see attachment) The Untrusted Connection Error allows the user to see some technical details and add an exception.

However, when I do run into an OCSP failure with the above preferences set, I get a separate "Secure Connection Failed" error that doesn't allow me to add an exception. This is not consistent with the wording in the preference.

The only work-around is to go back to the preferences and un-check the box, then browse to the page, then go back to the preferences to re-check the box. 

I want OCSP checking to be performed in most cases, and to get an error when it fails, but I know that some sites I want to browse to don't have OCSP correctly configured.

    
    

    
  


  

    
    

    
  
Note that since there isn't a way to bypass the OCSP failure when OCSP hard-fail is turned on, regular users are turning off OCSP hard-fail (i.e. opting for the less-secure option in order to browse to the sites they want, because there is no other way for them to do so).

Here's an example (facebook)
http://www.jeriffcheng.com/firefox-sec-error-ocsp-server-error.html

    
    

    
  

      
      
      
      

        Attached image
          
        OCSP-fail-etherpad.png
      

    


  
Attaching another example.

    
    

    
  
I've been receiving more emails from people running into this, and have been running into it more frequently myself. So I think that as we are tightening up OCSP (things like reducing the time allowed), we are seeing more OCSP failures, and those of us who want OCSP to be checked don't have a reasonable way to do that and still be able to over-ride the error when we are confident it's OK to do so.

    
    

    
  
Kathleen, turning on OCSP hard-fail isn't really a supported configuration any longer (we removed the option from preferences - it's only modifiable via about:config). Is this still a concern?
Flags: needinfo?(kwilson)

    
    

    
  
(In reply to David Keeler [:keeler] (use needinfo?) from comment #6)
> Kathleen, turning on OCSP hard-fail isn't really a supported configuration
> any longer (we removed the option from preferences - it's only modifiable
> via about:config). Is this still a concern?

This is no longer a concern for me, so I will close this bug.

I don't test by using OCSP hard-fail anymore. Now I use http://cert-checker.allizom.org/ and https://certificate.revocationcheck.com/ to test.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kwilson)
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: