View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001497 | Main CAcert Website | account administration | public | 2020-11-07 10:53 | 2021-04-05 15:22 |
Reporter | L10N | Assigned To | egal | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Main CAcert Website | OS | N/A | OS Version | stable |
Summary | 0001497: OCSP server certificate no more accepted by Mozilla | ||||
Description | > Am 28.10.2020 um 13:06 schrieb Bernhard Eisele (priv): >> Liebes Team, >> >> gestern ging noch alles einwandfrei, heute meldet mein Firefox (Version >> 82.0.1) folgendes: >> >> Beim Verbinden mit cacert.org trat ein Fehler auf. Die OCSP-Antwort enthält >> veraltete Informationen. >> >> Fehlercode: SEC_ERROR_OCSP_OLD_RESPONSE >> >> Habe dem Rootzertifikat CA Cert Signing Authority das Vertrauen >> ausgesprochen, komme aber trotzdem nicht weiter. >> >> Es scheint wohl vom OCSP-Server eine falsche Antwort zu kommen (meint >> Firefox), denn Opera funktioniert (noch?)! >> >> Es grüßt >> Bernhard Bernhard Eisele (priv) @ 28.10.20 13:19: > Lösung gefunden: > Unter Einstellungen - Zertifikate musste ich den Auswahlbutton > Aktuelle Gültigkeit von Zertifikaten durch Anfrage bei OCSP-Server bestätigen > lassen > deaktivieren, danach ging es wieder. > > Es grüßt alle, die vielleicht in dieselbe Falle tappen > Bernhard > PS: Scheint wohl beim Update geändert worden zu sein! Danke, liebe > Mozilla-Entwickler � | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
|
|
Betreff: Re: Cacert-Website mit Firefox nicht mehr erreichbar Datum: Sat, 31 Oct 2020 16:42:11 +0100 Von: Bernd Jantzen Antwort an: Bernd Jantzen An: cacert-support@lists.cacert.org OK, it certainly is not practical that Firefox has changed the default settings here. But why does OCSP not work for www.cacert.org? The certificate used to identify www.cacert.org specifies http://ocsp.cacert.org/ for authority information via OCSP. So why does it not work? Is there a problem with CAcert's OCSP server? Can this not be fixed by CAcert instead of telling everybody to deactivate OCSP checking in Firefox? And why should it be a good idea to deactivate OCSP checking generally in my browser? I would guess that this makes my encrypted web connections less secure because used server certificates might be compromised and revoked without my browser noticing it. Best regards, Bernd |
|
seem like the OCSP responder is using sha1WithRSAEncryption to sign OCSP responses and maybe Firefox does not like this anymore: openssl ocsp -issuer chain.pem -cert www.cacert.org.pem -url http://ocsp.cacert.org/ -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661 Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A Serial Number: 02E101 Request Extensions: OCSP Nonce: 04109DE0D1753307C993118853413B773BA4 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = AU, ST = NSW, L = Sydney, O = CAcert Inc., OU = Server Administration, CN = ocsp.cacert.org Produced At: Nov 7 12:57:47 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: F22A621693A6DA5AD0B98D3A135E35D1EB183661 Issuer Key Hash: 75A871604C8813F078D98977B56DC589DFBCB17A Serial Number: 02E101 Cert Status: good This Update: Oct 17 00:05:34 2020 GMT Next Update: Nov 9 12:57:47 2020 GMT Response Extensions: OCSP Nonce: 04109DE0D1753307C993118853413B773BA4 Signature Algorithm: sha1WithRSAEncryption 03:71:f6:90:cc:3b:ce:a6:31:42:53:6f:0b:9c:cb:d7:25:fd: eb:b4:dd:50:8b:bb:29:9d:26:14:48:37:84:38:f5:5f:51:65: 66:45:ea:86:ce:a2:8e:30:e2:43:71:8c:d6:c5:81:79:d5:da: 9c:35:16:be:df:4a:7f:7a:b0:5d:1a:7b:65:a6:69:74:31:e1: f0:42:3e:57:36:c1:b8:1b:a8:37:b5:75:16:79:16:72:d6:4e: 92:30:e0:55:3c:88:98:fc:2c:84:4a:0d:dc:d0:c6:00:44:d9: 6e:4f:80:cc:2f:21:34:75:eb:46:4e:ae:a8:c7:2f:38:19:5b: 71:85:a0:16:3e:ff:6e:08:3b:73:a5:bc:78:d9:f0:51:18:5f: 64:8c:fb:ab:99:d0:3b:52:d2:bc:ef:c3:a1:7a:01:2a:45:16: f4:41:52:02:c0:5d:23:4d:91:20:15:f2:78:db:da:72:7c:99: ec:e4:06:75:db:00:66:39:0f:a9:e9:a8:0f:1b:a3:06:14:81: 8c:70:6b:c6:74:7a:31:56:4a:7b:04:66:96:6b:80:cf:a4:e9: eb:a3:4c:09:25:78:8e:46:6b:e9:25:68:da:01:30:f1:fb:5c: 1c:ed:d0:80:28:56:d1:b5:e4:74:af:7f:dd:6c:4a:81:a3:c1: fc:ee:4e:a0 Certificate: Data: Version: 3 (0x2) Serial Number: 186781 (0x2d99d) Signature Algorithm: sha512WithRSAEncryption Issuer: O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root Validity Not Before: Aug 25 14:14:29 2019 GMT Not After : Aug 24 14:14:29 2021 GMT Subject: C=AU, ST=NSW, L=Sydney, O=CAcert Inc., OU=Server Administration, CN=ocsp.cacert.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:9c:c6:d4:6f:e4:23:c7:c3:70:4b:75:1f:e4:fc: ae:f6:62:c4:60:a1:d6:cf:f9:47:40:38:d9:af:06: f5:b3:87:09:ba:07:c8:7a:3b:e3:3a:e2:c1:6b:db: 0e:9b:7b:b4:98:04:40:88:c8:e4:20:34:9d:5f:94: ae:0c:a0:05:a1:74:10:3f:1f:93:6d:c5:a0:ce:29: b0:2a:03:6e:ed:3b:d1:9a:7a:f7:0f:a7:b7:39:d7: c3:b4:de:15:67:94:f2:ef:b0:dd:5f:e3:c9:d8:d2: 34:0e:5d:44:df:bf:99:d8:5e:60:f4:39:24:8a:fd: 5d:c8:46:8d:0a:b1:60:7a:4f:d5:27:30:60:9e:13: 06:f8:3a:aa:b3:bb:33:34:6f:84:81:7e:5c:cc:12: 89:f2:fe:6e:93:83:fa:8b:ee:ab:36:4c:b6:40:a9: ee:fb:f8:16:5a:55:d1:64:0d:49:da:04:de:d1:c8: ca:ee:5f:24:b1:79:78:b3:9a:88:13:dd:68:51:39: e9:68:31:af:d7:f8:4d:35:6d:60:58:04:42:bb:55: 92:18:f6:98:01:a5:74:3b:bc:36:db:20:68:18:b8: 85:d4:8b:6d:30:87:4d:d6:33:2d:7a:54:36:1d:57: 42:14:5c:7a:62:74:d5:1e:2b:d5:bf:04:f3:ff:ec: 03:c1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication, OCSP Signing, Netscape Server Gated Crypto, Microsoft Server Gated Crypto X509v3 CRL Distribution Points: Full Name: URI:http://crl.cacert.org/class3-revoke.crl Signature Algorithm: sha512WithRSAEncryption 44:85:a2:bb:82:6a:26:f7:5b:57:92:7a:d5:35:68:e5:a6:41: 03:0a:98:89:b0:91:52:bd:fe:ee:7a:be:cf:85:e2:b7:f1:fd: 13:76:ef:2e:b9:40:e3:58:43:eb:8c:1c:6a:f9:fa:09:2c:45: fd:d2:0a:bd:10:db:b2:60:6f:c1:15:d9:d3:95:f4:57:b2:2f: 48:8a:fa:97:81:1f:ab:b3:ce:86:5a:01:b0:e5:2e:eb:20:09: 1a:b1:55:73:b8:d8:00:80:ed:a3:6c:68:8d:f8:ba:90:52:47: cc:ad:b1:4c:d4:b7:6f:ed:fb:2b:93:eb:16:05:be:1e:a1:f1: be:29:0c:00:b4:77:5c:0e:bd:d5:c2:1b:fd:01:c4:c3:0d:5a: 13:b3:37:6f:01:a6:43:12:29:b7:ff:16:fa:87:a1:af:07:88: a5:e3:73:1e:58:f8:a9:2f:9c:5e:86:54:bd:7c:dd:5a:63:ca: 9a:77:c8:a7:f2:be:fc:79:5b:46:bc:31:f9:b0:2a:47:f3:5d: 02:ae:ed:62:4d:63:8a:cb:a4:62:57:fb:6d:ab:25:7f:32:75: 93:2b:57:65:96:7a:7b:fa:b6:93:9f:2c:fa:87:88:af:94:b6: 3e:39:73:28:25:32:b2:9f:8c:07:10:e7:ed:b7:22:08:d2:40: 7b:cb:e2:5d:18:5e:2a:aa:ce:77:ac:62:d7:87:b8:38:f1:f8: 8b:e9:7d:64:40:21:d6:3a:a1:75:38:09:d0:34:7e:74:a4:cf: d8:60:0d:9c:3b:1e:a2:c3:1b:04:8e:b8:5f:98:c8:83:4e:8e: ac:7e:d4:56:20:4c:5a:7c:0f:ea:c8:de:10:d6:85:7c:e2:e4: 18:9f:6f:ea:d2:6c:db:bf:12:9a:cd:1b:88:a3:8d:b0:f0:10: c7:f0:e3:44:66:b6:f7:9e:dc:1e:c6:a5:9b:c6:ed:e9:8d:15: 41:16:e9:ae:71:cd:ff:53:69:48:85:a4:55:be:a9:43:05:3f: 29:3d:d6:de:f9:44:27:7a:5e:56:8a:ce:70:d5:45:7e:49:44: 40:24:12:96:e9:e3:6a:8f:1e:f4:19:6b:d4:fe:a4:d1:eb:45: f6:4a:51:f7:ec:7d:22:b4:4d:a7:4f:b6:df:ac:3f:6f:92:a9: 1b:1f:1d:f6:36:01:f3:2a:af:d9:7f:05:9e:0c:b3:f7:3c:1a: 56:86:ab:91:84:b6:c4:7f:92:ba:8d:81:12:d1:0e:69:44:88: 61:90:ab:96:dd:14:66:43:6b:19:7c:66:ca:34:53:c3:8f:53: e0:bc:79:89:b0:8f:65:88:a9:6e:64:fc:c1:58:b8:ba:e0:96: b9:c7:c5:f5:9e:85:04:e8 |
|
Following https://support.mozilla.org/en-US/questions/1237191 from 2018, SHA-1 is "to be disabled". Maybe that happend now? |
|
I checked the logfiles of the ocsp-server (and set up a new one in my test-environment): Firefox tries to verify the certificate by using the OCSP-responder on port 80. Therefore no oscp-server-certificate is questioned. ... but ... It's the OCSP stapling setting in apache, which breaks the Firefox-OCSP-functionality ... As it seem, that (at least) one certificate can't be verified, I disabled OCSP stapling temporary, so access to https://www.cacert.org via Firefox is working again. ... to be continued ... |
|
Today we detected, that a script on ocsp.cacert.org was not running as expected. Therefore the CRL expired for OCSP-Daemon, hence giving the OLD_RESPONSE-error. We now restarted the script and change our internal monitoring within the next days. |
|
The OCSP responder has been restored to a proper working state and is monitored properly now. I think the bug has been fixed. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-11-07 10:53 | L10N | New Issue | |
2020-11-07 10:53 | L10N | File Added: CAcert-Mozilla-Firefox-Unblock.png | |
2020-11-07 10:54 | L10N | Note Added: 0005915 | |
2020-11-07 13:03 | jandd | Note Added: 0005916 | |
2020-11-07 13:03 | jandd | Note Edited: 0005916 | |
2020-11-07 13:06 | jandd | Note Edited: 0005916 | |
2020-11-07 14:00 | L10N | Note Added: 0005917 | |
2020-11-10 20:29 | egal | Note Added: 0005918 | |
2020-11-10 22:24 | egal | Note Edited: 0005918 | |
2020-12-15 13:37 | gleurent | Relationship added | related to 0001496 |
2020-12-15 13:37 | gleurent | Relationship deleted | related to 0001496 |
2020-12-24 11:55 | egal | Note Added: 0005928 | |
2021-01-31 11:19 | jandd | Status | new => solved? |
2021-01-31 11:19 | jandd | Resolution | open => fixed |
2021-01-31 11:19 | jandd | Note Added: 0005945 | |
2021-04-05 15:22 | egal | Assigned To | => egal |
2021-04-05 15:22 | egal | Status | solved? => closed |