OCSP Cert Issues

Reinstalling OS and suddenly I can't log into https sites. Getting error

SEC_ERROR_OCSP_INVALID_SIGNING_CERT

Some google-foo tells me is this a problem with azure?

https://www.reddit.com/r/firefox/com…_when_hotmail/

IE doesn't even work for me but I read where Chrome stop doing OCSP or something?

This is the only solution that works for me

https://support.mozilla.org/en-US/questions/1013172

I don't have that problem, using Firefox version 53.0.3. I checked the settings and OCSP stapling is enabled.
Are there specific https sites that don't work for you? Or are all https sites you've tried (like RPGWatch) not working for you?

It could be me as I moved the default directories in the registry for programs and common files to my storage drive and not my C drive.

However, a lot of people are reporting this problem so it makes me think its not that

https://answers.microsoft.com/en-us/…7-ecf85cacbac6

TBH, I don't remember if it affected RPGWatch. Are you using OCSP?

Is your system date set correctly? Wrong date will falsely invalidate certificates.

It definitely is. That comes up on the first google of this issue. This issue that is being reported just happened so it makes me think it may not be a coincidence.

Hmm, there maybe something unusual going on with OCSP. It's an added security measure, but you're probably not taking too much of a risk to run without it for now.

Is it an added security measure? I thought it was only used to reduce the load on the requests to the registrar and thus speed up page loads. By using stapling the hosting site can 'staple' the certificate information to the request from the client, without the need for the client to contact the registrar on each request. This behavior could actually be seen as a security risk, which is resolved by limiting the time stamp of the certificate information that can be stapled, so that the encrypted registration information has to retrieved from the registrar by the host on a regular basis in order to make this work.
This functionality is embedded in Apache and nginx already, so could be easily enabled and disabled on sites (as long as they have the correct version of Apache/nginx). And clients can disable this and request the information directly from the registrar at the penalty of a (potentially) somewhat longer load time of a page.

IE doesn't work and Firefox has problems - this has nothing to do with RPGwatch.
Reinstall OS once again and don't mess the general registry. If for some reason you need to put OS data on another drive, change only default path for Users, don't change paths for program files and other stuff.

Originally Posted by Lucky Day
TBH, I don't remember if it affected RPGWatch. Are you using OCSP?

Just checked it and I remember now disabling it again after configuring it last year, for some reason I can't remember anymore.

Originally Posted by Myrthos
Is it an added security measure? I thought it was only used to reduce the load on the requests to the registrar and thus speed up page loads. By using stapling the hosting site can 'staple' the certificate information to the request from the client, without the need for the client to contact the registrar on each request. This behavior could actually be seen as a security risk, which is resolved by limiting the time stamp of the certificate information that can be stapled, so that the encrypted registration information has to retrieved from the registrar by the host on a regular basis in order to make this work.
This functionality is embedded in Apache and nginx already, so could be easily enabled and disabled on sites (as long as they have the correct version of Apache/nginx). And clients can disable this and request the information directly from the registrar at the penalty of a (potentially) somewhat longer load time of a page.

As I understand it, OCSP is an updated method of checking for invalid certificates. The OCSP stapling in particular is a way to reduce calls to the issuer, and also a way to mitigate some impostor attacks that OCSP is vulnerable to.

Oh now I understand you. I don't think he should disable OCSP though, but only the stapling.

I set security.ssl.enable_ocsp_stapling to false and that works for me. Is that stapling?

My laptop is fine without doing that, but I haven't checked my desktop yet.

Yes that is the stapling setting. Disabling it doesn't make things less secure. A fraction slower perhaps (depending on the site you visit), but that is it.

In theory, it does make you a bit less secure. I wouldn't worry too much as a very short term fix, but ideally I wouldn't leave stapling disabled.

I don't think it becomes less secure, as now the issuer is always contacted to check if the certificate is revoked or not and the site you are visiting is not stapling this information to the browsers' request anymore. OCSP is still enabled, just stapling isn't.

Stapling the certificates does help against some security problems. Because of that, some sites actually mandate that the certs are stapled, so turning it off could actually cause problems on other sites.