On Tue, 11 Mar 2014 11:01:26 -0700 Brian Smith <br...@briansmith.org> wrote:
> First, it is important to point out to others reading this that this > problem only affects certificates that don't chain to a trusted root > CA and/or which are considered invalid by Firefox for some other > reason. AFAICT, there is no problem with OCSP stapling in Firefox for > valid (according to Firefox) certificates. > > In Firefox 30 (or so), we will switch to a different way of verifying > certificates, including a different way of processing OCSP responses. > In the new way, we won't validate the OCSP response at all for a > certificate that we do not trust, whether it is stapled or not. I > believe this will resolve the issue you are experiencing. > > Because we're overhauling all of the certificate verification > processing, and because this is an issue that only affects invalid > certificates, and because there is a workaround (disable OCSP > stapling until Firefox 30 is released), this isn't going to be a high > priority. I understand that can be frustrating but we'll never get > the new certificate processing turned on if we keep going back to fix > these issues with the old certificate processing. I feel extremely uncomfortable with this. Basically this would mean that this will make it into an ESR release of FF and maybe into a Debian release, which will mean in effect I won't be able to re-enable OCSP stapling for several years to come. Let me just point out what my situation is, because I don't think I'm alone with this: I'm running a server with dozends of customers, all having their own webpage. They have an option to use their own certs, but a lot of them don't do that. They access the backends of their CMSes by adding exceptions to the cert warnings to their browsers. Now I know it'd be better to tell them that they should all get their real certificates. But frankly, it's not realistic that all of them will. And the realistic alternative is that they start avoiding https altogether if the possibility to add exceptions is taken away from them. I hope this explains better what my worries about this are. > It would be great if you could test the new way of doing > certificate/OCSP verification. To do so, please download Firefox 30 > Nightly from http://nightly.mozilla.org/. After you install it, go to > about:config and add a new entry: I'll do that. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
signature.asc
Description: PGP signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
