Closed
Bug 971750
Opened 10 years ago
Closed 8 years ago
OCSP signature certificate invalid in OCSP response
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: stephane.magne, Unassigned, NeedInfo)
References
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Steps to reproduce: Just going to one of our https internal site (but not some others) even though signed by the same pki, with the same OCSP server (ejbca). The bug was not present on V26 but still here on v28. Actual results: sec_error_ocsp_invalid_signing_cert. So the site can not be reach. Expected results: Via Openssl the OCSP validation is correct. My pki CA : CA INTERNE -> CA INTERNE SERVEURS -> Certificate. dsiappli37:~# openssl ocsp -issuer level1.crt -nonce -CAfile level1.crt -url http://ocsp.mairie.fr -serial "0x${l0serial}" -VAfile level1.crt Response verify OK 0x674FA1E7720F1A5B: good This Update: Feb 12 15:44:22 2014 GMT l0 = serveur certificate l1 = CA INTERNE SERVEURS The problem can be avoid by adding CA INTERNE to the trusted CA's. In the same time, other certificates using the same OCSP/PKI only get the "self-signed warning" as usual. What is the policy about OCSP when reaching a newly found CA with it's OCSP server ? If the OCSP signer response certificate CA is the server's certificate's CA, the must ask if we accept the CA, delaying the result of the OCSP Test to that time no ?
Reporter | ||
Comment 1•10 years ago
|
||
openssl OCSP with a site whose OCSP is working with firefox
Reporter | ||
Comment 2•10 years ago
|
||
As you can see the main difference beetwen the two site, is that one of them is an apache and is giving the full certificate chain (l0 server certificate l1 CA interne l2 CA interne server) and the other one is the IIS embedded in exchange that seems only give the CA interne server as l1. So we do not have a self signed certificate in the chain of the "not working" case.
Reporter | ||
Comment 3•10 years ago
|
||
the public key of the non working server
Reporter | ||
Comment 4•10 years ago
|
||
a working certificate.
Comment 5•10 years ago
|
||
(In reply to stephane.magne from comment #0) > The problem can be avoid by adding CA INTERNE to the trusted CA's. In the > same time, other certificates using the same OCSP/PKI only get the > "self-signed warning" as usual. Is the site doing OCSP stapling? Please go to about:config and temporarily change the value of security.ssl.enable_ocsp_stapling to false, clear your browser cache, and restart the browser. If this resolves the issue, then the problem is a known issue with our OCSP stapling implementation and it will be fixed in Firefox 31. > What is the policy about OCSP when reaching > a newly found CA with it's OCSP server ? If the OCSP signer response > certificate CA is the server's certificate's CA, the must ask if we accept > the CA, delaying the result of the OCSP Test to that time no ? Normally we do not do OCSP checks when the user adds a cert error override. However, when the site uses OCSP stapling, we do process the stapled OCSP response.
Updated•10 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
It seems this bug still isn't resolved in Firefox 31.0. OS: Windows Vista - Home Basic Edition (x86). For information purpose: I've been trying to reach the website "https://www.fanfiction.net/" and I end up getting the error message [It used to worked on the previous version]. If I go in the about:config page and set the parameter "security.ssl.enable_ocsp_stapling" to false, the website starts working again, but I'd rather not take such drastic measures. What can I do to solve things?
Hi Gabriel, see bug 1046223.
Thanks for the answer, Mr. David. That's what I feared. Earlier I've encountered the same error on the Italian Google domain (https://www.google.it), but now I reached it successfully. Glad to know the issue is on fanfiction.net's end. Sorry to have bothered, the error message suggested to report the issue.
Comment 9•10 years ago
|
||
Is this still happening for you on the current version of Firefox, Firefox 33?
Flags: needinfo?(stephane.magne)
Comment 10•9 years ago
|
||
I am quit new with Mozilla. I just use the gmail since last year I believe. I see several comment about my problem and yet no fix and it seems this problem is back to the 31...edition and since I have according to the help link at the top of this page it says I have 36.0.1 and mine is UP TO DATE. I have an account with MetroDate for the last 5 or so years using Internet Explorer without any problem and yet when I use mozilla I get the following popup... Secure Connection Failed An error occurred during a connection to www.metrodate.com. Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. I went to 6 or more different links and yet nothing has helped so if you would pass this on to those who can give me a line by line to correct this problem if not I guess I will only use gmail and forget this as a web site to surf the net. Sorry but when I have trouble using something and can't fix it in one or two trys I uninstall and delete it. Oh by the way I got my first "computer" back in 84 when there was just 8088's etc and commodores and TI's and others before I got my fist Pentium 90 with 500 meg ram and a 500 meg harddrive. A reply to my gmail at this time would be nice thetruesoutherngentleman@gmail.com
It appears that www.metrodate.com is misconfigured. I Filed bug 1145719 and cc'd you on it. In the meantime, you can disable OCSP stapling by changing the pref "security.ssl.enable_ocsp_stapling" to false in about:config (although I wouldn't recommend keeping it that way - OCSP stapling is a useful security feature and will make your browsing experience faster in some cases).
Comment 12•9 years ago
|
||
Hummm I find this interesting that Mozilla has a problem with Metro Date but windows Internet Explorer doesn't have what you say is wrong with their browser. I think your browser is just a bit to high tech I guess or to well protected of itself.... So where is this place you refer to that I can change to false so I can use Mozilla to look at MetroDate?? OK great so where is stapling located at I looked in
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•