On Mar 29, 8:26 pm, Nelson Bolyard <[EMAIL PROTECTED]> wrote: <snip>
> > One error I get while attempting to authenticate to an internal site > > with my certificate-on-a-smartcard is this one: > > "Alert: An internal failure has been detected. It not possible to > > complete the requested OCSP operation." > > That error string has a name, which is "OCSPDeadlock". I think (not > sure) it happens when the OCSP request is sent over an https connection > and the OCSP server's cert itself specifies an OCSP URL, causing > recursive OCSP lookup. > > FWIW, This error code seems to no longer be present on the trunk. > Thanks for the clarification. The OCSP responder URL is being asserted in the certificate's AIA Extension which is currently set to "http://ocsp.web.aol.com/ocsp";. I'll have to watch the network packets more carefully to see what Firefox is actually doing here. If I see anything surprising, I'll post a followup. > > As part of my troubleshooting efforts, I noticed that I don't get this > > error if I start from a "clean" FireFox profile. Any ideas on how to > > view and/or clear the OCSP cache in this FireFox profile. > > FireFox does not yet have an OCSP cache. > Hmm...now THAT is very interesting. I don't know why a clean FireFox profile on the same box would give me a different experience (but I'm glad it's an error-free experience). I was hoping you would say that nuking some security-related local database would clear this condition. I'll go back and see if I can reproduce this and compare results with my network trace to see if I can make any better guesses as to what's going on. > /Nelson > > P.S. Will this answer be featured in your next securityhype.com podcast? :) Yes -- and we'll have screen shots of example websites that are throwing OCSP-related errors because some well-known public CAs <cough> are not scaled up to fully support OCSP. With Vista, this is going to be a MUCH bigger issue which will confuse and upset many users and website owners. When FF enables OCSP by default the problem won't get better either. I challenge anyone reading this thread to enable OCSP checking in FF and try surfing for a week. It's tougher than I expected! Cheers, Bill -- Bill Burns, CISSP Producer and Co-Host of the Security Hype podcast and blog http://www.SecurityHype.com _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
