Can't disable OCSP per site
Hi I'm a little at a loss.
The question is rather simple: Is there any way to disable OCSP verification for specific servers (not domains) similiar in the way I could add exceptions for expired certs or certs with the wrong CN.
A little more context:
It seems, that Firefox is now issuing OCSP requests by default, which is a good thing.
However I'd like to be able to add exceptions for certain sites (the only suggestion, that I found with googling was to disable OCSP requests, which I consider counter productive and doesn't seem to be in the spirit of increasing overall security)
Examples: I have one site, that I want to access, which uses an expired certificate (I know that's not good, but I do trust this site) and where the CA doesn't keep any record for (seems to be normal to me, as the cert is expired, so no more need to revoke it) I personally wouldn't even expect to have to do an OCSP request for expired certs, but I did not read the official specs and might thus be wrong.
There might be also sites, that have an OCSP server which is temporarily down. I'd prefer to disable OCSP only for this sites than to disable it globally.
Is this possible, If not are there any plans for such features?
Thanks in advance for your replies and suggestions
All Replies (3)
I don't think that feature exists, but let me ruminate a bit...
Firefox's default behavior, I think for quite a while now, is to check OCSP but only alert if the server says there was a revocation, so a server being down does not invalidate the certificate.
I agree that checking a certificate for which you have created an exception is a bit strange. It's hard to know whether anyone thought about the specific scenario.
I searched for some bugs, and this is by no means an exhaustive list, but there seem to be some longstanding bugs as well as recent discussions about how to handle a response that the certificate is "unknown". You might review these and see whether any is likely to help, or simply file a new bug proposing the behavior you would like to see.
- Bug 518046 – "OCSP server has no status for the certificate" should be override-able
- Bug 745747 – Treat "OCSP status unknown" as "OCSP status revoked" (even in soft failure mode)
- Bug 943815 – Support the "extended revoked" OCSP status for unknown/mis-issued certificates
To avoid spamming lots of developers, which can make them less sympathetic, please be judicious in commenting on existing bugs. See:
Hi Jscher,
Thanks a lot for your answer.
I think what it boils down to is really,: How to make an exception for OCSP checking. (especially if an exception has been added for an expired cert)
I really don't know whether the CA changed the error code for expired certs or whether they just purged some old certs )and they became thus unknown) or whethersomething else happened. As I can't travel back in time it's hard to verify now, things just broke today.
I hesitate between creating a new ticket (allow to create exceptions for OCSP verification and to ignore OSCP for expired certs) or to add a suggestion to Bug 518046
Not sure what's clearest / creating the least administrative overhead.
Do you have any opinions?
Further one more (related) question: What will happen if I create self signed certificates, add the self signed CA to the browser's CA list, but don't provide CRLs or OCSP?
Hi gelonida, I don't understand these bugs well enough to suggest where the proposal belongs.
Regarding your self signed certificate, as this is an issue in all browsers, there probably is a standard protocol implemented by the software that creates the certificate. (I haven't researched it.)