We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Pretraži podršku

Izbjegni prevare podrške. Nikad te nećemo tražiti da nas nazoveš, da nam pošalješ telefonski broj ili da podijeliš osobne podatke. Prijavi sumnjive radnje pomoću opcije „Prijavi zlouporabu”.

Saznaj više

Can't disable OCSP per site

more options

Hi I'm a little at a loss.

The question is rather simple: Is there any way to disable OCSP verification for specific servers (not domains) similiar in the way I could add exceptions for expired certs or certs with the wrong CN.


A little more context: It seems, that Firefox is now issuing OCSP requests by default, which is a good thing.

However I'd like to be able to add exceptions for certain sites (the only suggestion, that I found with googling was to disable OCSP requests, which I consider counter productive and doesn't seem to be in the spirit of increasing overall security)

Examples: I have one site, that I want to access, which uses an expired certificate (I know that's not good, but I do trust this site) and where the CA doesn't keep any record for (seems to be normal to me, as the cert is expired, so no more need to revoke it) I personally wouldn't even expect to have to do an OCSP request for expired certs, but I did not read the official specs and might thus be wrong.

There might be also sites, that have an OCSP server which is temporarily down. I'd prefer to disable OCSP only for this sites than to disable it globally.

Is this possible, If not are there any plans for such features?

Thanks in advance for your replies and suggestions

Hi I'm a little at a loss. The question is rather simple: Is there any way to disable OCSP verification for specific servers (not domains) similiar in the way I could add exceptions for expired certs or certs with the wrong CN. A little more context: It seems, that Firefox is now issuing OCSP requests by default, which is a good thing. However I'd like to be able to add exceptions for certain sites (the only suggestion, that I found with googling was to disable OCSP requests, which I consider counter productive and doesn't seem to be in the spirit of increasing overall security) Examples: I have one site, that I want to access, which uses an expired certificate (I know that's not good, but I do trust this site) and where the CA doesn't keep any record for (seems to be normal to me, as the cert is expired, so no more need to revoke it) I personally wouldn't even expect to have to do an OCSP request for expired certs, but I did not read the official specs and might thus be wrong. There might be also sites, that have an OCSP server which is temporarily down. I'd prefer to disable OCSP only for this sites than to disable it globally. Is this possible, If not are there any plans for such features? Thanks in advance for your replies and suggestions

Svi odgovori (3)

more options

I don't think that feature exists, but let me ruminate a bit...

Firefox's default behavior, I think for quite a while now, is to check OCSP but only alert if the server says there was a revocation, so a server being down does not invalidate the certificate.

I agree that checking a certificate for which you have created an exception is a bit strange. It's hard to know whether anyone thought about the specific scenario.

I searched for some bugs, and this is by no means an exhaustive list, but there seem to be some longstanding bugs as well as recent discussions about how to handle a response that the certificate is "unknown". You might review these and see whether any is likely to help, or simply file a new bug proposing the behavior you would like to see.

To avoid spamming lots of developers, which can make them less sympathetic, please be judicious in commenting on existing bugs. See:

more options

Hi Jscher,

Thanks a lot for your answer.

I think what it boils down to is really,: How to make an exception for OCSP checking. (especially if an exception has been added for an expired cert)

I really don't know whether the CA changed the error code for expired certs or whether they just purged some old certs )and they became thus unknown) or whethersomething else happened. As I can't travel back in time it's hard to verify now, things just broke today.

I hesitate between creating a new ticket (allow to create exceptions for OCSP verification and to ignore OSCP for expired certs) or to add a suggestion to Bug 518046

Not sure what's clearest / creating the least administrative overhead.

Do you have any opinions?

Further one more (related) question: What will happen if I create self signed certificates, add the self signed CA to the browser's CA list, but don't provide CRLs or OCSP?

more options

Hi gelonida, I don't understand these bugs well enough to suggest where the proposal belongs.

Regarding your self signed certificate, as this is an issue in all browsers, there probably is a standard protocol implemented by the software that creates the certificate. (I haven't researched it.)