Secure Connection Failed to google.com
FF ESR 52.2.0 Windows XP sp3
Today I changed the following two OCSP settings from False to True:
security.OCSP.GET.enabled;true security.OCSP.require;true
Since then I'm unable to go to google.com, get the error message:
"Secure Connection Failed
An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem."
But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc.
So, could someone help me to figure out why Google is not secure for me?
I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196
Solução escolhida
The IP address you report belongs to Google, from the whois command.
I don't think the problem is about Firefox, but with Google settings.
Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.
My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.
Ler esta resposta 👍 6Todas as respostas (7)
Solução escolhida
The IP address you report belongs to Google, from the whois command.
I don't think the problem is about Firefox, but with Google settings.
Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.
My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.
mattcamp: Thanks for your answer, I knew, that it wasn't FF fault, but I posted my question here because FF gurus for sure know what these config elements do. Since I use Google a lot, I set this element "security.OCSP.require" to false, now I'm OK, just a bit disappointed.
I noticed, that there are 5 elements in FF config that deal with PKI, can you tell me what is the meaning of level 3 here:
security.pki.sha1_enforcement_level;3
and what other options are out there for this element?
The fact is SHA1 hashing algorithm has proven to be insecure, because a collision is possible.
A collision is when an algorithm calculates the same hash value for two different files.
This should never happen, because each file should have a unique hash signature, so Mozilla banned SHA1n favor of more secure algorithms.
More details here.
The NSA, too, deprecated SHA1 for the same reasons.
I see. So, by any chance do you know, that then how can anyone make sure, or trust the system that when you're using Google using FF, indeed you're communicating with a real Google server and not for e.g. a cuckoo's egg between you and a real Google server? Or we just have accept the familiar request "just trust us!"
Hi, It's a complex matter. However, I want to remind you that the people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.
If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.
mattcamp: Thank you for patience and all your answers!
You're very welcome.
I love to help, that's why I'm here.