Open Bug 998259 Opened 11 years ago Updated 3 years ago

Fatal OCSP error if certificate is not trusted, even when the options say otherwise

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
28 Branch
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mathias.tausig, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 2014031500 Steps to reproduce: Sccess a https website which uses a SSL-certificate which is not trusted by mozilla (and as a consequence, the OCSP responder certificate is untrusted as well) I use the standard settings for OCSP Validation ("Use OCSP validation" checked, "When a OCSP connection fails treat the certificate as invalid" unchecked). Actual results: I get an OCSP Error (The OCSP server experienced an internal error. Error code: sec_error_ocsp_server_error) which is fatal and cannot be skipped. Expected results: In previous versions of Firefox (I tried the ESR version 24.4), this behaviour occured only if I manually editet the OCSP validation settings and checked both options. In the default settings, I got the usual certificate error dialog, which the user could choose to ignore. Since a certificate trust error during OCSP validation is no different from one during the SSL certificate validation, I can see no reason for this changed behaviour. This bug might be related to #988491
Component: Untriaged → Security
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.