View Issue Details

IDProjectCategoryView StatusLast Update
0001497Main CAcert Websiteaccount administrationpublic2020-11-10 22:24
ReporterL10N Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformMain CAcert WebsiteOSN/A 
Summary0001497: OCSP server certificate no more accepted by Mozilla
Description> Am 28.10.2020 um 13:06 schrieb Bernhard Eisele (priv):
>> Liebes Team,
>>
>> gestern ging noch alles einwandfrei, heute meldet mein Firefox (Version
>> 82.0.1) folgendes:
>>
>> Beim Verbinden mit cacert.org trat ein Fehler auf. Die OCSP-Antwort enthält
>> veraltete Informationen.
>>
>> Fehlercode: SEC_ERROR_OCSP_OLD_RESPONSE
>>
>> Habe dem Rootzertifikat CA Cert Signing Authority das Vertrauen
>> ausgesprochen, komme aber trotzdem nicht weiter.
>>
>> Es scheint wohl vom OCSP-Server eine falsche Antwort zu kommen (meint
>> Firefox), denn Opera funktioniert (noch?)!
>>
>> Es grüßt
>> Bernhard


Bernhard Eisele (priv) @ 28.10.20 13:19:
> Lösung gefunden:
> Unter Einstellungen - Zertifikate musste ich den Auswahlbutton
> Aktuelle Gültigkeit von Zertifikaten durch Anfrage bei OCSP-Server bestätigen
> lassen
> deaktivieren, danach ging es wieder.
>
> Es grüßt alle, die vielleicht in dieselbe Falle tappen
> Bernhard
> PS: Scheint wohl beim Update geändert worden zu sein! Danke, liebe
> Mozilla-Entwickler �


TagsNo tags attached.
Reviewed by
Test Instructions

Activities

L10N

2020-11-07 10:53

reporter  

L10N

2020-11-07 10:54

reporter   ~0005915

Betreff: Re: Cacert-Website mit Firefox nicht mehr erreichbar
Datum: Sat, 31 Oct 2020 16:42:11 +0100
Von: Bernd Jantzen
Antwort an: Bernd Jantzen
An: cacert-support@lists.cacert.org


OK, it certainly is not practical that Firefox has changed the default settings
here.

But why does OCSP not work for www.cacert.org? The certificate used to identify
www.cacert.org specifies http://ocsp.cacert.org/ for authority information via
OCSP. So why does it not work? Is there a problem with CAcert's OCSP server? Can
this not be fixed by CAcert instead of telling everybody to deactivate OCSP
checking in Firefox?

And why should it be a good idea to deactivate OCSP checking generally in my
browser? I would guess that this makes my encrypted web connections less secure
because used server certificates might be compromised and revoked without my
browser noticing it.

Best regards,
Bernd

jandd

2020-11-07 13:03

administrator   ~0005916

Last edited: 2020-11-07 13:06

View 3 revisions

seem like the OCSP responder is using sha1WithRSAEncryption to sign OCSP responses and maybe Firefox does not like this anymore:

openssl ocsp -issuer chain.pem -cert www.cacert.org.pem -url http://ocsp.cacert.org/ -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
          Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
          Serial Number: 02E101
    Request Extensions:
        OCSP Nonce:
            04109DE0D1753307C993118853413B773BA4
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., OU = Server Administration, CN = ocsp.cacert.org
    Produced At: Nov 7 12:57:47 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661
      Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A
      Serial Number: 02E101
    Cert Status: good
    This Update: Oct 17 00:05:34 2020 GMT
    Next Update: Nov 9 12:57:47 2020 GMT

    Response Extensions:
        OCSP Nonce:
            04109DE0D1753307C993118853413B773BA4
    Signature Algorithm: sha1WithRSAEncryption
         03:71:f6:90:cc:3b:ce:a6:31:42:53:6f:0b:9c:cb:d7:25:fd:
         eb:b4:dd:50:8b:bb:29:9d:26:14:48:37:84:38:f5:5f:51:65:
         66:45:ea:86:ce:a2:8e:30:e2:43:71:8c:d6:c5:81:79:d5:da:
         9c:35:16:be:df:4a:7f:7a:b0:5d:1a:7b:65:a6:69:74:31:e1:
         f0:42:3e:57:36:c1:b8:1b:a8:37:b5:75:16:79:16:72:d6:4e:
         92:30:e0:55:3c:88:98:fc:2c:84:4a:0d:dc:d0:c6:00:44:d9:
         6e:4f:80:cc:2f:21:34:75:eb:46:4e:ae:a8:c7:2f:38:19:5b:
         71:85:a0:16:3e:ff:6e:08:3b:73:a5:bc:78:d9:f0:51:18:5f:
         64:8c:fb:ab:99:d0:3b:52:d2:bc:ef:c3:a1:7a:01:2a:45:16:
         f4:41:52:02:c0:5d:23:4d:91:20:15:f2:78:db:da:72:7c:99:
         ec:e4:06:75:db:00:66:39:0f:a9:e9:a8:0f:1b:a3:06:14:81:
         8c:70:6b:c6:74:7a:31:56:4a:7b:04:66:96:6b:80:cf:a4:e9:
         eb:a3:4c:09:25:78:8e:46:6b:e9:25:68:da:01:30:f1:fb:5c:
         1c:ed:d0:80:28:56:d1:b5:e4:74:af:7f:dd:6c:4a:81:a3:c1:
         fc:ee:4e:a0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 186781 (0x2d99d)
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root
        Validity
            Not Before: Aug 25 14:14:29 2019 GMT
            Not After : Aug 24 14:14:29 2021 GMT
        Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Server Administration, CN=ocsp.cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9c:c6:d4:6f:e4:23:c7:c3:70:4b:75:1f:e4:fc:
                    ae:f6:62:c4:60:a1:d6:cf:f9:47:40:38:d9:af:06:
                    f5:b3:87:09:ba:07:c8:7a:3b:e3:3a:e2:c1:6b:db:
                    0e:9b:7b:b4:98:04:40:88:c8:e4:20:34:9d:5f:94:
                    ae:0c:a0:05:a1:74:10:3f:1f:93:6d:c5:a0:ce:29:
                    b0:2a:03:6e:ed:3b:d1:9a:7a:f7:0f:a7:b7:39:d7:
                    c3:b4:de:15:67:94:f2:ef:b0:dd:5f:e3:c9:d8:d2:
                    34:0e:5d:44:df:bf:99:d8:5e:60:f4:39:24:8a:fd:
                    5d:c8:46:8d:0a:b1:60:7a:4f:d5:27:30:60:9e:13:
                    06:f8:3a:aa:b3:bb:33:34:6f:84:81:7e:5c:cc:12:
                    89:f2:fe:6e:93:83:fa:8b:ee:ab:36:4c:b6:40:a9:
                    ee:fb:f8:16:5a:55:d1:64:0d:49:da:04:de:d1:c8:
                    ca:ee:5f:24:b1:79:78:b3:9a:88:13:dd:68:51:39:
                    e9:68:31:af:d7:f8:4d:35:6d:60:58:04:42:bb:55:
                    92:18:f6:98:01:a5:74:3b:bc:36:db:20:68:18:b8:
                    85:d4:8b:6d:30:87:4d:d6:33:2d:7a:54:36:1d:57:
                    42:14:5c:7a:62:74:d5:1e:2b:d5:bf:04:f3:ff:ec:
                    03:c1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

    Signature Algorithm: sha512WithRSAEncryption
         44:85:a2:bb:82:6a:26:f7:5b:57:92:7a:d5:35:68:e5:a6:41:
         03:0a:98:89:b0:91:52:bd:fe:ee:7a:be:cf:85:e2:b7:f1:fd:
         13:76:ef:2e:b9:40:e3:58:43:eb:8c:1c:6a:f9:fa:09:2c:45:
         fd:d2:0a:bd:10:db:b2:60:6f:c1:15:d9:d3:95:f4:57:b2:2f:
         48:8a:fa:97:81:1f:ab:b3:ce:86:5a:01:b0:e5:2e:eb:20:09:
         1a:b1:55:73:b8:d8:00:80:ed:a3:6c:68:8d:f8:ba:90:52:47:
         cc:ad:b1:4c:d4:b7:6f:ed:fb:2b:93:eb:16:05:be:1e:a1:f1:
         be:29:0c:00:b4:77:5c:0e:bd:d5:c2:1b:fd:01:c4:c3:0d:5a:
         13:b3:37:6f:01:a6:43:12:29:b7:ff:16:fa:87:a1:af:07:88:
         a5:e3:73:1e:58:f8:a9:2f:9c:5e:86:54:bd:7c:dd:5a:63:ca:
         9a:77:c8:a7:f2:be:fc:79:5b:46:bc:31:f9:b0:2a:47:f3:5d:
         02:ae:ed:62:4d:63:8a:cb:a4:62:57:fb:6d:ab:25:7f:32:75:
         93:2b:57:65:96:7a:7b:fa:b6:93:9f:2c:fa:87:88:af:94:b6:
         3e:39:73:28:25:32:b2:9f:8c:07:10:e7:ed:b7:22:08:d2:40:
         7b:cb:e2:5d:18:5e:2a:aa:ce:77:ac:62:d7:87:b8:38:f1:f8:
         8b:e9:7d:64:40:21:d6:3a:a1:75:38:09:d0:34:7e:74:a4:cf:
         d8:60:0d:9c:3b:1e:a2:c3:1b:04:8e:b8:5f:98:c8:83:4e:8e:
         ac:7e:d4:56:20:4c:5a:7c:0f:ea:c8:de:10:d6:85:7c:e2:e4:
         18:9f:6f:ea:d2:6c:db:bf:12:9a:cd:1b:88:a3:8d:b0:f0:10:
         c7:f0:e3:44:66:b6:f7:9e:dc:1e:c6:a5:9b:c6:ed:e9:8d:15:
         41:16:e9:ae:71:cd:ff:53:69:48:85:a4:55:be:a9:43:05:3f:
         29:3d:d6:de:f9:44:27:7a:5e:56:8a:ce:70:d5:45:7e:49:44:
         40:24:12:96:e9:e3:6a:8f:1e:f4:19:6b:d4:fe:a4:d1:eb:45:
         f6:4a:51:f7:ec:7d:22:b4:4d:a7:4f:b6:df:ac:3f:6f:92:a9:
         1b:1f:1d:f6:36:01:f3:2a:af:d9:7f:05:9e:0c:b3:f7:3c:1a:
         56:86:ab:91:84:b6:c4:7f:92:ba:8d:81:12:d1:0e:69:44:88:
         61:90:ab:96:dd:14:66:43:6b:19:7c:66:ca:34:53:c3:8f:53:
         e0:bc:79:89:b0:8f:65:88:a9:6e:64:fc:c1:58:b8:ba:e0:96:
         b9:c7:c5:f5:9e:85:04:e8

L10N

2020-11-07 14:00

reporter   ~0005917

Following https://support.mozilla.org/en-US/questions/1237191 from 2018, SHA-1 is "to be disabled". Maybe that happend now?

egal

2020-11-10 20:29

administrator   ~0005918

Last edited: 2020-11-10 22:24

View 2 revisions

I checked the logfiles of the ocsp-server (and set up a new one in my test-environment):

Firefox tries to verify the certificate by using the OCSP-responder on port 80. Therefore no oscp-server-certificate is questioned.

... but ...

It's the OCSP stapling setting in apache, which breaks the Firefox-OCSP-functionality ...

As it seem, that (at least) one certificate can't be verified, I disabled OCSP stapling temporary, so access to https://www.cacert.org via Firefox is working again.

... to be continued ...

Issue History

Date Modified Username Field Change
2020-11-07 10:53 L10N New Issue
2020-11-07 10:53 L10N File Added: CAcert-Mozilla-Firefox-Unblock.png
2020-11-07 10:54 L10N Note Added: 0005915
2020-11-07 13:03 jandd Note Added: 0005916
2020-11-07 13:03 jandd Note Edited: 0005916 View Revisions
2020-11-07 13:06 jandd Note Edited: 0005916 View Revisions
2020-11-07 14:00 L10N Note Added: 0005917
2020-11-10 20:29 egal Note Added: 0005918
2020-11-10 22:24 egal Note Edited: 0005918 View Revisions