On Tue, Mar 11, 2014 at 3:20 AM, Hanno Böck <ha...@hboeck.de> wrote:
> I wanted to bring up an issue regarding OCSP stapling. > I filled this bug shortly after Firefox 27 came out: > https://bugzilla.mozilla.org/show_bug.cgi?id=972304 > > Short conclusion: If you have enabled OCSP stapling on your server this > will break the possibility to add certificate exceptions with Firefox > 27. > > I find it a bit worrying that this issue hasn't received any attention > yet. To make this clear: This made me disable OCSP stapling on my > production machines with customers. And it's a serious regression to > the previous version 26. > First, it is important to point out to others reading this that this problem only affects certificates that don't chain to a trusted root CA and/or which are considered invalid by Firefox for some other reason. AFAICT, there is no problem with OCSP stapling in Firefox for valid (according to Firefox) certificates. In Firefox 30 (or so), we will switch to a different way of verifying certificates, including a different way of processing OCSP responses. In the new way, we won't validate the OCSP response at all for a certificate that we do not trust, whether it is stapled or not. I believe this will resolve the issue you are experiencing. Because we're overhauling all of the certificate verification processing, and because this is an issue that only affects invalid certificates, and because there is a workaround (disable OCSP stapling until Firefox 30 is released), this isn't going to be a high priority. I understand that can be frustrating but we'll never get the new certificate processing turned on if we keep going back to fix these issues with the old certificate processing. It would be great if you could test the new way of doing certificate/OCSP verification. To do so, please download Firefox 30 Nightly from http://nightly.mozilla.org/. After you install it, go to about:config and add a new entry: 1. Right click in the list of preferences and choose New -> Boolean. 2. Enter the name security.use_insanity_verification 3. Change the value of the new pref to "true." You may have to clear your cache and restart your browser for the change to fully take effect. If you try this, let me know if it resolves the issue for you. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
