Error code: SEC_ERROR_OCSP_BAD_SIGNATURE on Some Websites
One of the techs at Bleepingcomputer suggested I contact you for this problem. They went through my computer for malware and gave me a clean bill of health. Tech said he knows it has something to do with certificates, and that he wasn't really an expert on FF. I have several addons that contain important data I would hate to lose. So I'm wondering if there is an easy way of doing this without reinstalling FF and all of the addons again, backing up and restoring data.
I'm using W10 and FF 64-bit. It's a Lenovo laptop.
Alle Antworten (12)
Try to rename the cert8.db file (cert8.db.old) and delete the cert_override.txt file in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.
If that has helped to solve the problem then you can remove the renamed cert8.db.old file.
Firefox will automatically store intermediate certificates that servers send in the Certificate Manager for future use.
You can use this button to go to the current Firefox profile folder:
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
Does this problem occur just on a particular website? It's not the kind of error you would expect to see on a lot of sites because it most likely indicates an error in how the certificates are being served.
We had a thread from the other day where the poster disabled OCSP stapling as a workaround for this error code. With stapling, Firefox accepts a file from the web server itself to validate its certificate rather than checking with the issuer directly. This is faster and more private. But if the web server sends a problematic verification, it will fail. If you find that is the problem with the site you're trying to visit, please let them know.
I cannot find the cert_override.txt file in the Firefox profile folder.
jscher2000: It has happened on a couple of websites now. Those same sites work using other browsers, and may work on the second or third try sometimes using FF. I'm not familar with this OCSP Stapling. How would I check to see it is disabled?
Hi JoBlow, please see the thread I linked to for the steps to enable or disable stapling.
jscher2000: I switched from enabled to disabled. www.foboko.com loaded, but loaded sluggishly. I can't remember the other site. Know of any I can test with?
JoBlow said
jscher2000: I switched from enabled to disabled. www.foboko.com loaded, but loaded sluggishly.
Hmm, I think StartCom / StartSSL was the issuer in the other thread, too. Maybe they are having a problem, or maybe something is a bit odd on the server side: after it failed in Firefox, I tried the site in Chrome for comparison, and then a few minutes later the site loaded in Firefox just fine. ???
That server has other configuration issues which undermine its security: https://www.ssllabs.com/ssltest/analyze.html?d=www.foboko.com
I can't remember the other site. Know of any I can test with?
Not that I can think of. It has been a rare problem here.
So is this a security issue I need be concerned with?
What would you advise?
I think it depends on your paranoia level.
For random browsing, I wouldn't bother trying to solve it and just move on to another site.
If you use it often, I suggest alerting the site to the problem to see whether they can find a solution on their side.
If you disable stapling but leave OCSP checks enabled, then Firefox will validate the certificate directly with the issuer. However, this is a privacy leak because the issuer knows that someone using Firefox at your IP address is visiting that secure site. Unfortunately, there doesn't appear to be a perfect solution...
Just an observation: I note the https site https://www.foboko.com/ is not secure according to this analysis
And includes error message
OCSP ERROR: Request failed with HTTP status: 502 http://ocsp.startssl.com
This site uses OCSP stapling.
Here is how I have it setup right now. If you could look and advise. Thanks. (uploaded .png of about:config OCSP settings
Hi JoBlow, my understanding of those settings is that Firefox will not accept the OCSP verification from the web server and will instead check with the certificate issuer.