Closed
Bug 972304
Opened 10 years ago
Closed 10 years ago
sec_error_ocsp_invalid_signing_cert prevents user from adding certificate exception when OCSP stapling is enabled
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: hanno, Unassigned, NeedInfo)
References
()
Details
I have the problem here that users of my webserver can't access https pages any more with an invalid cert. I.e. they can't add an exception. This only happens in firefox 27 and not in firefox 26. The error they get is: Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert) The server has a default wildcard certificate from cacert.org. So users surfing with default firefox should usually get a "Untrusted Connection"-warning and the option to add an exception. However, that doesn't happen. I don't know if I understand everything that happens here correct, but to me it seems Firefox is trying to ocsp-verify the cert before it gives the user the opportunity to add an exception. Obviously, the ocsp response is not accepted, as the root cert is not in firefox. So this means if a cert has an ocsp responder, the possibility to add an exception for an untrusted certificate is no longer usable. Test: Go with plain firefox 27 to https://www.schokoeks.org/ - will show sec_error_ocsp_invalid_signing_cert error. What should happen: Go with plain firefox 26 to https://www.schokoeks.org/ - warning about untrusted connection and exception can be added.
Comment 1•10 years ago
|
||
The URL was misspelled. It is https://www.schokokeks.org/ (note the missing "k").
Reporter | ||
Comment 2•10 years ago
|
||
Thanks freddyb, sorry for the misspelling. Okay, I found out one more thing: Our server has OCSP stapling enabled. If I disable that then the error doesn't occur.
Reporter | ||
Updated•10 years ago
|
Summary: sec_error_ocsp_invalid_signing_cert prevents user from adding certificate exception → sec_error_ocsp_invalid_signing_cert prevents user from adding certificate exception when OCSP stapling is enabled
Reporter | ||
Comment 3•10 years ago
|
||
One more thing: As this is a severe problem for some of our customers, as a workaround I have disabled OCSP stapling, so the above testcase doesn't work any more. You can still test the behaviour with this URL: https://backup1.schokokeks.org/
Reporter | ||
Updated•10 years ago
|
Comment 4•10 years ago
|
||
Seems to be the same as mine : 971750 Duplicate ?
Updated•10 years ago
|
Component: Security: UI → Security: PSM
Comment 5•10 years ago
|
||
I have the same symptom (sec_error_ocsp_invalid_signing_cert) in Fx28 on our internal network - despite OCSP validation being deactivated. However, I cannot reproduce the problem reported here on https://backup1.schokokeks.org/ - neither with OCSP validation enabled nor disabled. Is there anything I could do to diagnose what's going on here? Apologies if I'm actually reporting a different issue.
(In reply to Stefan Moebius from comment #5) > I have the same symptom (sec_error_ocsp_invalid_signing_cert) in Fx28 on our > internal network - despite OCSP validation being deactivated. However, I > cannot reproduce the problem reported here on > https://backup1.schokokeks.org/ - neither with OCSP validation enabled nor > disabled. > > Is there anything I could do to diagnose what's going on here? > > Apologies if I'm actually reporting a different issue. As I understand it, the pref "security.OCSP.enabled" controls OCSP fetching. The pref "security.ssl.enable_ocsp_stapling" acts independently of that setting. So, if you want to disable all OCSP checking, you'll have to also set "security.ssl.enable_ocsp_stapling" to false.
Comment 7•10 years ago
|
||
Thanks David, that solved my issue. Given that apparently our company intranet allows to reproduce various OCSP issues, let me know if I can help in any way. Building and running software is possible, development is not (for time restrictions).
Comment 8•10 years ago
|
||
Will be fixed when we enable mozilla::pkix by default, because mozilla::pkix processes stapled OCSP responses only after building a valid cert chain. If no valid cert chain can be built, then mozilla::pkix won't process the stapled OCSP response.
Depends on: mozilla::pkix-beta
Target Milestone: --- → mozilla31
Updated•10 years ago
|
Comment 9•10 years ago
|
||
Is this working the way you expect, with OCSP stapling enabled?
Flags: needinfo?(hanno)
Reporter | ||
Comment 10•10 years ago
|
||
I think this is fixed with the new PKIX code. Can't reproduce it any more with current firefox.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hanno)
Resolution: --- → FIXED
Comment 11•10 years ago
|
||
Thanks!
Comment 12•10 years ago
|
||
Hanno, may I ask you to please test your setup with Firefox 31, which is an enterprise support branch? We'd like to avoid regressions on that branch, so it would be interesting to know if adding an exception in your scenario works or not. I'd be interested in test results, for both PKIX and non-PKIX code path, which can be switched using this preference: security.use_mozillapkix_verification (about:config) The most recent Firefox 31 ESR release can be found here: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/31.1.1esr/ Thanks in advance!
Updated•7 years ago
|
Flags: needinfo?(tekalittlemom)
You need to log in
before you can comment on or make changes to this bug.
Description
•