Closed Bug 971750 Opened 10 years ago Closed 8 years ago

OCSP signature certificate invalid in OCSP response

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
27 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: stephane.magne, Unassigned, NeedInfo)

References

Details

Attachments

(4 files)

error_ocsp.txt
15.16 KB, text/plain
Details
ocsp_ok.txt
15.12 KB, text/plain
Details
ocsp_will_fail.cer
1.42 KB, application/x-x509-ca-cert
Details
ocsp_will_work.cer
1.31 KB, application/x-x509-ca-cert
Details
Attached file error_ocsp.txt 
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Steps to reproduce:

Just going to one of our https internal site (but not some others) even though signed by the same pki, with the same OCSP server (ejbca). The bug was not present on V26 but still here on v28.


Actual results:

sec_error_ocsp_invalid_signing_cert. So the site can not be reach.


Expected results:

Via Openssl the OCSP validation is correct.

My pki CA : CA INTERNE -> CA INTERNE SERVEURS -> Certificate.

dsiappli37:~# openssl ocsp -issuer level1.crt -nonce -CAfile level1.crt -url http://ocsp.mairie.fr -serial "0x${l0serial}" -VAfile level1.crt
Response verify OK
0x674FA1E7720F1A5B: good
        This Update: Feb 12 15:44:22 2014 GMT

l0 = serveur certificate
l1 = CA INTERNE SERVEURS

The problem can be avoid by adding CA INTERNE to the trusted CA's. In the same time, other certificates using the same OCSP/PKI only get the "self-signed warning" as usual. What is the policy about OCSP when reaching a newly found CA with it's OCSP server ?  If the OCSP signer response certificate CA is the server's certificate's CA, the must ask if we accept the CA, delaying the result of the OCSP Test to that time no ?
Attached file ocsp_ok.txt 
openssl OCSP with a site whose OCSP is working with firefox
As you can see the main difference beetwen the two site, is that one of them is an apache and is giving the full certificate chain (l0 server certificate l1 CA interne l2 CA interne server) and the other one is the IIS embedded in exchange that seems only give the CA interne server as l1. So we do not have a self signed certificate in the chain of the "not working" case.
Attached file ocsp_will_fail.cer 
the public key of the non working server
Attached file ocsp_will_work.cer 
a working certificate.
(In reply to stephane.magne from comment #0)
> The problem can be avoid by adding CA INTERNE to the trusted CA's. In the
> same time, other certificates using the same OCSP/PKI only get the
> "self-signed warning" as usual.

Is the site doing OCSP stapling? Please go to about:config and temporarily change the value of security.ssl.enable_ocsp_stapling to false, clear your browser cache, and restart the browser. If this resolves the issue, then the problem is a known issue with our OCSP stapling implementation and it will be fixed in Firefox 31.

> What is the policy about OCSP when reaching
> a newly found CA with it's OCSP server ?  If the OCSP signer response
> certificate CA is the server's certificate's CA, the must ask if we accept
> the CA, delaying the result of the OCSP Test to that time no ?

Normally we do not do OCSP checks when the user adds a cert error override. However, when the site uses OCSP stapling, we do process the stapled OCSP response.
Component: Untriaged → Security: PSM
Product: Firefox → Core
It seems this bug still isn't resolved in Firefox 31.0. OS: Windows Vista - Home Basic Edition (x86). For information purpose: I've been trying to reach the website "https://www.fanfiction.net/" and I end up getting the error message [It used to worked on the previous version]. If I go in the about:config page and set the parameter "security.ssl.enable_ocsp_stapling" to false, the website starts working again, but I'd rather not take such drastic measures. What can I do to solve things?
Thanks for the answer, Mr. David. That's what I feared. Earlier I've encountered the same error on the Italian Google domain (https://www.google.it), but now I reached it successfully. Glad to know the issue is on fanfiction.net's end. Sorry to have bothered, the error message suggested to report the issue.
Is this still happening for you on the current version of Firefox, Firefox 33?
Flags: needinfo?(stephane.magne)
I am quit new with Mozilla. I just use the gmail since last year I believe. 
I see several comment about my problem and yet no fix and it seems this problem is back to the 31...edition and since I have according to the help link at the top of this page it says I have 36.0.1 and mine is UP TO DATE.

I have an account with MetroDate for the last 5 or so years using Internet Explorer without any problem and yet when I use mozilla I get the following popup...

Secure Connection Failed

An error occurred during a connection to www.metrodate.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

I went to 6 or more different links and yet nothing has helped so if you would pass this on to those who can give me a line by line to correct this problem if not I guess I will only use gmail and forget this as a web site to surf the net.  Sorry but when I have trouble using something and can't fix it in one or two trys I uninstall and delete it.
Oh by the way I got my first "computer" back in 84 when there was just 8088's etc and commodores and TI's and others before I got my fist Pentium 90 with 500 meg ram and a 500 meg harddrive.

A reply to my gmail at this time would be nice
thetruesoutherngentleman@gmail.com
It appears that www.metrodate.com is misconfigured. I Filed bug 1145719 and cc'd you on it. In the meantime, you can disable OCSP stapling by changing the pref "security.ssl.enable_ocsp_stapling" to false in about:config (although I wouldn't recommend keeping it that way - OCSP stapling is a useful security feature and will make your browsing experience faster in some cases).
Hummm I find this interesting that Mozilla has a problem with Metro Date but windows Internet Explorer doesn't have what you say is wrong with their browser.  I think your browser is just a bit to high tech I guess or to well protected of itself....
So where is this place you refer to that I can change to false so I can use Mozilla to look at MetroDate??




OK great so where is stapling located at I looked in
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: