how can I permanently disable OCSP checking?
I use StartSSL to generate free certificates for my personal sites. Occasionally firefox has a heart attack because it can't verify a signature or whatever. I really, really, really don't care, and I would like to disable all OCSP checking in my browser. I've tried toggling the option under Options->Advanced->Certificates for "Query OCSP responder servers to confirm the current validity of certificates" but that doesn't seem to make any difference. I know that my certificate is valid, as it was working just fine for the past week and is valid until 2019. It also works in every other browser on my computer, just not FF. How can I just completely stop OCSP from doing any checks, since that option doesn't fix the problem? Is there something in about:config I can toggle or set?
for search engine purposes, since I couldn't find a answer to this exact question using these search terms:
OCSP response has an invalid signature. Error code: SEC_ERROR_OCSP_BAD_SIGNATURE
Chosen solution
I have not seen the "SEC_ERROR_OCSP_BAD_SIGNATURE" code before. Perhaps your web server is configured to use "OCSP stapling" and is sending an incorrect or out-of-date OCSP response along with the certificate? You can use the following diagnostic page for public sites to see whether stapling is enabled:
https://www.ssllabs.com/ssltest/index.html
You could try disabling stapling support to see whether that changes anything:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false
Does that make any difference?
Read this answer in context 👍 2All Replies (5)
Chosen Solution
I have not seen the "SEC_ERROR_OCSP_BAD_SIGNATURE" code before. Perhaps your web server is configured to use "OCSP stapling" and is sending an incorrect or out-of-date OCSP response along with the certificate? You can use the following diagnostic page for public sites to see whether stapling is enabled:
https://www.ssllabs.com/ssltest/index.html
You could try disabling stapling support to see whether that changes anything:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false
Does that make any difference?
jscher2000 said
You could try disabling stapling support to see whether that changes anything: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste ocsp and pause while the list is filtered (3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false Does that make any difference?
Disabling stapling seemed to do the trick. Thanks!
If it's a public site, you may need to fix the bundle file on the server or change your server configuration to NOT staple the OCSP response. But if you are the only one who uses the sites, I guess that's not necessary.
It's on shared hosting, so I have minimal control over what I can do about disabling stapling on the server side. I don't see the problem happening in IE or Chrome, and Firefox has a dwindling user base anyway, so I am not too concerned about access. I'll see what my hosting provider can do about disabling it, but at least I know of a work around for FF for now to make it behave like most other browsers.
Thanks again
j3rk said
I don't see the problem happening in IE or Chrome, and Firefox has a dwindling user base anyway, so I am not too concerned about access.
Blocking Firefox users will certainly fulfill that prophecy. ;-)