SSL revocation
Hi,
We have revoked a SSL certificate and check all the Firefox options required in order to check the ocsp server for updates. The test has been done on IE 11 and it worked, however, it failed on FF 55.0.3 (32 bits).
Is it something that we missed or is it a bug?
Thank you.
Chosen solution
The source file indicates:
* ... The possible * values for "security.OCSP.enabled" are: * 0: fetching is disabled * 1: fetch for all certificates * 2: fetch only for EV certificates
It usually is safest to right-click > Reset if you want to test the default behavior. You might also consider:
New Profile Test
This takes about 3 minutes, plus the time to test the site.
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button, then click Next. Assign a name like Sept2017, ignore the option to relocate the profile folder, and click the Finish button.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but I think those are still "under construction" so please ignore them.)
Firefox should exit and then start up using the new profile, which will just look brand new.
Does OCSP checking work any better in the new profile?
When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.
Read this answer in context 👍 1All Replies (8)
The same test was succesful on Chrome.
Do you mean that Firefox is accepting a certificate that is revoked?
Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?
What do you see in the Certificate Manager?
You can open the Certificate Manager and go to the Servers tab. The Servers tab has an "Add Exception" to open the "Add Security Exception" window. You can type/paste the domain in the location field and click "Get Certificate" to retrieve the certificate and click the "View" button to inspect the version.
That's right, we have revoked the certificate, actually IE and Chrome display an error message, but not FF.
I have tried to modify the options using about:config, however no changes occured.
What would be the problem, as in theory FF should check the OCSP server in order to validate the certificate.
What if you check here: https://www.ssllabs.com/ssltest/
I do think that Firefox has a preference for OCSP stapling. If the server is sending a stapled OCSP response, Firefox might not separately check with the issuer. Could that be the problem?
Basically, we are the issuer of the certificate. When we revoke it, as CA authority, all the browsers aknowlegde it, but Firefox.
The following options are on:
security.ssl.enable_ocsp_must_staple;true security.ssl.enable_ocsp_stapling;true.
Also, for the other ones:
security.OCSP.enabled;0 security.OCSP.GET.enabled;false
I have also tried to set them @ 1 or 2 and true...
The checking OCSP option is checked as well, so basically all the conditions are fulfilled.
The result is that FF is acting as no revocation has been done, so it looks like no ocsp checking has been done.
Thanks.
Chosen Solution
The source file indicates:
* ... The possible * values for "security.OCSP.enabled" are: * 0: fetching is disabled * 1: fetch for all certificates * 2: fetch only for EV certificates
It usually is safest to right-click > Reset if you want to test the default behavior. You might also consider:
New Profile Test
This takes about 3 minutes, plus the time to test the site.
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button, then click Next. Assign a name like Sept2017, ignore the option to relocate the profile folder, and click the Finish button.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but I think those are still "under construction" so please ignore them.)
Firefox should exit and then start up using the new profile, which will just look brand new.
Does OCSP checking work any better in the new profile?
When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.
Thank you, the problem has been solved, however, some previous versions don't have the about:profiles option.
Is there any other way to do it?
Thanks again!
about:profiles became functional in Firefox 47, so it is available in all currently supported versions of Firefox.
In earlier versions, it was necessary to exit out of Firefox and start up in the Profile Manager dialog. See: Profile Manager - Create, remove or switch Firefox profiles.