Firefox-only connection problems with some SSL sites network-wide
I recently starting experiencing problems with sites not loading in Firefox with the error "Connection was interrupted". I've consistently seen this problem trying to load accounts.google.com. The problem exists in both versions 3.6.26 (OS X 10.4 latest available) and 10.0.1 (Windows XP/7/server2k3). In every single case, other browsers on the same system (Safari, various IE versions) can load the same URLs just fine.
I've already verified no proxy (FF and working browsers, all OSes), disabled ipv6 and preteching in network.dns, disabled all add-ons, deleted existing profiles, cleared cache, and cleared recent history. Existing articles suggest disabling DNS prefetch,
All Replies (3)
Follow up: if I pass connections through a Fiddler proxy Firefox (10.0.1, connection fails) issues repeated ocsp requests to ocsp.thawte.com. These requests all get an HTTP 502 back. IE (8, connection works) does not issue a similar request.
Do you have a specific OCSP server set or aborting when validation fails?
Check the OCSP settings:
- Firefox > Preferences > Advanced > Encryption: Certificates: Validation
- [ ] "When an OCSP server connection fails, treat the certificate as invalid"
See also:
Nope. Settings are default as far as I can tell. Validate a certificate if it specifies an OCSP server is selected, connection-fails-invalid is not checked.
I resolved the issue after talking to my ISP - there was a DNS caching issue and I was getting an invalid IP for ocsp.thawte.com - but the behavior seems buggy. The OCSP server connection WAS failing (with a timeout) and per Fiddler FF just keeps issuing repeat OCSP requests before eventually giving up with the interrupted connection error. The "When an OCSP server connection fails" option doesn't seem to do what it says in this case; prior to getting the DNS issue fixed the only solution was to disable OCSP completely.
Perhaps the problem is that the OCSP connection timed out rather than being refused or unresolvable, but recognizing multiple timeouts as a connection failure might be more user-friendly.