Avatar for Username

সহায়তা খুঁজুন

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

আরও জানুন

OCSP Must-Staple Behavior Observations in Firefox

  • 1 উত্তর
  • 0 এই সমস্যাটি আছে
  • 2 দেখুন
  • শেষ জবাব দ্বারা Denys

hengsheng wang
hengsheng wang
more options

Subject: OCSP Must-Staple Behavior Observations in Firefox (Including iOS Platform)

Dear Firefox Team,

We have been conducting tests involving certificates with the OCSP Must-Staple extension and would like to share several observations regarding Firefox’s behavior across different platforms:

General Compliance with Must-Staple: On most platforms, Firefox correctly enforces the Must-Staple extension. That is, if a certificate includes the Must-Staple flag and the web server fails to provide a stapled OCSP response, the connection is appropriately terminated.

Unexpected Behavior on iOS: However, we have observed that Firefox on iOS does not appear to enforce this requirement consistently. Even when the server does not provide a stapled OCSP response, the browser still establishes the TLS connection. We are unsure whether this is due to platform limitations or an implementation inconsistency.

Redundant OCSP Requests Despite Stapling: Additionally, we found that Firefox still initiates an OCSP request even when a valid stapled response has already been provided by the server. This behavior not only degrades performance but may also introduce privacy concerns, it contrary to the original privacy and efficiency goals of OCSP Stapling.

Subject: OCSP Must-Staple Behavior Observations in Firefox (Including iOS Platform) Dear Firefox Team, We have been conducting tests involving certificates with the OCSP Must-Staple extension and would like to share several observations regarding Firefox’s behavior across different platforms: General Compliance with Must-Staple: On most platforms, Firefox correctly enforces the Must-Staple extension. That is, if a certificate includes the Must-Staple flag and the web server fails to provide a stapled OCSP response, the connection is appropriately terminated. Unexpected Behavior on iOS: However, we have observed that Firefox on iOS does not appear to enforce this requirement consistently. Even when the server does not provide a stapled OCSP response, the browser still establishes the TLS connection. We are unsure whether this is due to platform limitations or an implementation inconsistency. Redundant OCSP Requests Despite Stapling: Additionally, we found that Firefox still initiates an OCSP request even when a valid stapled response has already been provided by the server. This behavior not only degrades performance but may also introduce privacy concerns, it contrary to the original privacy and efficiency goals of OCSP Stapling.

All Replies (1)

Denys
Denys
  • Moderator
  • Top 10 Contributor
more options

Hello,

Thank you very much for reaching out. However, the people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or developers.

Please report the found bugs on Bugzilla for Firefox and on GitHub for Firefox for iOS (see File a bug report or feature request for Mozilla products for reference).

Helpful?

একটি প্রশ্ন জিজ্ঞাসা করুন

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.