F.:
Hello,
When OCSP verification is enabled, if OCSP response fail (corrupt or
incorrect), client can not see the page.
This is strange for me, Firefox and other browsers ask to the user:
Continue or Cancel if the certificate is invalid or self-signed.
The solution is disable verification for all certificates.
The certificate is like certificates that have not OCSP responder URI.
I think that Firefox should ask to the user.
Disabling OCSP is certainly a bad idea, but at the "Certificate
Validation" configuration there is a flag "When an OCSP server
connection fails, treat the certificate as invalid". You can turn this
one off without disabling all verifications...
We could think about making this default if there are too many failures.
I have the flag on and not experienced many failures (lately actually
none). However most sites I visit are served from our own OCSP responder
and therefore not a balanced opinion. Since certificates must be
re-validated by the responder at least every 24 hours, we could think
about this flag somewhat more...
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
