OCSP Cert Issues

Lucky Day · May 29, 2017

Reinstalling OS and suddenly I can't log into https sites. Getting error

SEC_ERROR_OCSP_INVALID_SIGNING_CERT

Some google-foo tells me is this a problem with azure?

https://www.reddit.com/r/firefox/comments/6dx2so/sec_error_ocsp_invalid_signing_cert_when_hotmail/

IE doesn't even work for me but I read where Chrome stop doing OCSP or something?

This is the only solution that works for me

https://support.mozilla.org/en-US/questions/1013172

Myrthos · May 29, 2017

I don't have that problem, using Firefox version 53.0.3. I checked the settings and OCSP stapling is enabled.
Are there specific https sites that don't work for you? Or are all https sites you've tried (like RPGWatch) not working for you?

Lucky Day · May 29, 2017

It could be me as I moved the default directories in the registry for programs and common files to my storage drive and not my C drive.

However, a lot of people are reporting this problem so it makes me think its not that

https://answers.microsoft.com/en-us...ok-using/9f8dd00f-e4d8-4984-ac17-ecf85cacbac6

TBH, I don't remember if it affected RPGWatch. Are you using OCSP?

Ripper · May 29, 2017

Is your system date set correctly? Wrong date will falsely invalidate certificates.

Lucky Day · May 29, 2017

It definitely is. That comes up on the first google of this issue. This issue that is being reported just happened so it makes me think it may not be a coincidence.

Ripper · May 29, 2017

Hmm, there maybe something unusual going on with OCSP. It's an added security measure, but you're probably not taking too much of a risk to run without it for now.

Myrthos · May 30, 2017

Is it an added security measure? I thought it was only used to reduce the load on the requests to the registrar and thus speed up page loads. By using stapling the hosting site can 'staple' the certificate information to the request from the client, without the need for the client to contact the registrar on each request. This behavior could actually be seen as a security risk, which is resolved by limiting the time stamp of the certificate information that can be stapled, so that the encrypted registration information has to retrieved from the registrar by the host on a regular basis in order to make this work.
This functionality is embedded in Apache and nginx already, so could be easily enabled and disabled on sites (as long as they have the correct version of Apache/nginx). And clients can disable this and request the information directly from the registrar at the penalty of a (potentially) somewhat longer load time of a page.

joxer · May 30, 2017

IE doesn't work and Firefox has problems - this has nothing to do with RPGwatch.
Reinstall OS once again and don't mess the general registry. If for some reason you need to put OS data on another drive, change only default path for Users, don't change paths for program files and other stuff.

Myrthos · May 30, 2017

Lucky Day said:
TBH, I don't remember if it affected RPGWatch. Are you using OCSP?

Just checked it and I remember now disabling it again after configuring it last year, for some reason I can't remember anymore.

Ripper · May 30, 2017

Myrthos said:
Is it an added security measure? I thought it was only used to reduce the load on the requests to the registrar and thus speed up page loads. By using stapling the hosting site can 'staple' the certificate information to the request from the client, without the need for the client to contact the registrar on each request. This behavior could actually be seen as a security risk, which is resolved by limiting the time stamp of the certificate information that can be stapled, so that the encrypted registration information has to retrieved from the registrar by the host on a regular basis in order to make this work.
This functionality is embedded in Apache and nginx already, so could be easily enabled and disabled on sites (as long as they have the correct version of Apache/nginx). And clients can disable this and request the information directly from the registrar at the penalty of a (potentially) somewhat longer load time of a page.

As I understand it, OCSP is an updated method of checking for invalid certificates. The OCSP stapling in particular is a way to reduce calls to the issuer, and also a way to mitigate some impostor attacks that OCSP is vulnerable to.

Myrthos · May 30, 2017

Oh now I understand you. I don't think he should disable OCSP though, but only the stapling.

Lucky Day · May 31, 2017

I set security.ssl.enable_ocsp_stapling to false and that works for me. Is that stapling?

My laptop is fine without doing that, but I haven't checked my desktop yet.

Myrthos · May 31, 2017

Yes that is the stapling setting. Disabling it doesn't make things less secure. A fraction slower perhaps (depending on the site you visit), but that is it.

Ripper · May 31, 2017

In theory, it does make you a bit less secure. I wouldn't worry too much as a very short term fix, but ideally I wouldn't leave stapling disabled.

Myrthos · May 31, 2017

I don't think it becomes less secure, as now the issuer is always contacted to check if the certificate is revoked or not and the site you are visiting is not stapling this information to the browsers' request anymore. OCSP is still enabled, just stapling isn't.

Ripper · May 31, 2017

Stapling the certificates does help against some security problems. Because of that, some sites actually mandate that the certs are stapled, so turning it off could actually cause problems on other sites.

OCSP Cert Issues

Lucky Day

Daywatch

Myrthos

Cave Canem

Lucky Day

Daywatch

Ripper

Зичу Вам успіхів

Lucky Day

Daywatch

Ripper

Зичу Вам успіхів

Myrthos

Cave Canem

joxer

The Smoker

Myrthos

Cave Canem

Ripper

Зичу Вам успіхів

Myrthos

Cave Canem

Lucky Day

Daywatch

Myrthos

Cave Canem

Ripper

Зичу Вам успіхів

Myrthos

Cave Canem

Ripper

Зичу Вам успіхів