Hey Bill, Long time, no see! netscape.public.mozilla.crypto is now moribund. The action is now in mozilla.dev.tech.crypto, which is served from news.mozilla.org. Followups directed there.
Bill Burns wrote: > As part of my company's rollout to use OCSP I decided to turn on OCSP > checking in FireFox 2 on my Mac. > > I've been surprised at the number of OCSP-related error messages I'm > now getting when browsing websites that I didn't expect to be using > SSL or OCSP. In a few cases it looks like it's the Verisign "seal" > that is displayed on websites that's actually triggering the error > (how ironic!) or causing slower than normal page downloads. Some web sites don't use an SSL session cache and so do full handshakes on every connection. If you're using OCSP, this means doing OCSP on every connection. Ouch. > One error I get while attempting to authenticate to an internal site > with my certificate-on-a-smartcard is this one: > "Alert: An internal failure has been detected. It not possible to > complete the requested OCSP operation." That error string has a name, which is "OCSPDeadlock". I think (not sure) it happens when the OCSP request is sent over an https connection and the OCSP server's cert itself specifies an OCSP URL, causing recursive OCSP lookup. FWIW, This error code seems to no longer be present on the trunk. > As part of my troubleshooting efforts, I noticed that I don't get this > error if I start from a "clean" FireFox profile. Any ideas on how to > view and/or clear the OCSP cache in this FireFox profile. FireFox does not yet have an OCSP cache. /Nelson P.S. Will this answer be featured in your next securityhype.com podcast? :) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
