Bill Burns wrote: > On Mar 29, 8:26 pm, Nelson Bolyard <[EMAIL PROTECTED]> > wrote: > <snip> > >>> One error I get while attempting to authenticate to an internal site >>> with my certificate-on-a-smartcard is this one: >>> "Alert: An internal failure has been detected. It not possible to >>> complete the requested OCSP operation." >> >> That error string has a name, which is "OCSPDeadlock". I think (not >> sure) it happens when the OCSP request is sent over an https connection >> and the OCSP server's cert itself specifies an OCSP URL, causing >> recursive OCSP lookup. >> >> FWIW, This error code seems to no longer be present on the trunk. > > Thanks for the clarification. The OCSP responder URL is being > asserted in the certificate's AIA Extension which is currently set to > "http://ocsp.web.aol.com/ocsp";. I'll have to watch the network > packets more carefully to see what Firefox is actually doing here. If > I see anything surprising, I'll post a followup.
One other possibility is that the cert of the OCSP responder (that is, the cert used to verify the signature in the OCSP response itself) specifies an AIA extension with a URI, also leading to recursive OCSP lookup. >>> As part of my troubleshooting efforts, I noticed that I don't get this >>> error if I start from a "clean" FireFox profile. Any ideas on how to >>> view and/or clear the OCSP cache in this FireFox profile. >> >> FireFox does not yet have an OCSP cache. >> > Hmm...now THAT is very interesting. I don't know why a clean FireFox > profile on the same box would give me a different experience (but I'm > glad it's an error-free experience). Maybe OCSP is disabled in a "clean" profile? Or maybe your test profile has a "default" OCSP responder configured, and so is using OCSP even on certs with no AIA extension? > I was hoping you would say that > nuking some security-related local database would clear this > condition. I'll go back and see if I can reproduce this and compare > results with my network trace to see if I can make any better guesses > as to what's going on. BTW, a prototype of the OCSP client cache is now present on the trunk of NSS. It'll be in FF3. <snip> > I challenge anyone reading this thread to enable OCSP checking in FF > and try surfing for a week. It's tougher than I expected! I run that way all the time and have rather little difficulty, but maybe I don't visit a very diverse set of https servers. Also, I use nightly builds from the trunk, so I generally have the latest fixes (and the latest bugs :( > -- > Bill Burns, CISSP > Producer and Co-Host of the Security Hype podcast and blog > http://www.SecurityHype.com /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
