Windows 10 reached EOS (end of support) on October 14, 2025. For more information, see this article.

Avatar for Username

Pomoc pśepytaś

Glědajśo se wobšudy pomocy. Njenapominajomy was nigda, telefonowy numer zawołaś, SMS pósłaś abo wósobinske informacije pśeraźiś. Pšosym dajśo suspektnu aktiwitu z pomocu nastajenja „Znjewužywanje k wěsći daś“ k wěsći.

Dalšne informacije

OCSP Must-Staple Behavior Observations in Firefox

  • 1 wótegrono
  • 1 ma toś ten problem
  • 38 naglědow
  • Slědne wótegrono wót Denys

hengsheng wang
hengsheng wang
dalšne nastajenja

Subject: OCSP Must-Staple Behavior Observations in Firefox (Including iOS Platform)

Dear Firefox Team,

We have been conducting tests involving certificates with the OCSP Must-Staple extension and would like to share several observations regarding Firefox’s behavior across different platforms:

General Compliance with Must-Staple: On most platforms, Firefox correctly enforces the Must-Staple extension. That is, if a certificate includes the Must-Staple flag and the web server fails to provide a stapled OCSP response, the connection is appropriately terminated.

Unexpected Behavior on iOS: However, we have observed that Firefox on iOS does not appear to enforce this requirement consistently. Even when the server does not provide a stapled OCSP response, the browser still establishes the TLS connection. We are unsure whether this is due to platform limitations or an implementation inconsistency.

Redundant OCSP Requests Despite Stapling: Additionally, we found that Firefox still initiates an OCSP request even when a valid stapled response has already been provided by the server. This behavior not only degrades performance but may also introduce privacy concerns, it contrary to the original privacy and efficiency goals of OCSP Stapling.

Subject: OCSP Must-Staple Behavior Observations in Firefox (Including iOS Platform) Dear Firefox Team, We have been conducting tests involving certificates with the OCSP Must-Staple extension and would like to share several observations regarding Firefox’s behavior across different platforms: General Compliance with Must-Staple: On most platforms, Firefox correctly enforces the Must-Staple extension. That is, if a certificate includes the Must-Staple flag and the web server fails to provide a stapled OCSP response, the connection is appropriately terminated. Unexpected Behavior on iOS: However, we have observed that Firefox on iOS does not appear to enforce this requirement consistently. Even when the server does not provide a stapled OCSP response, the browser still establishes the TLS connection. We are unsure whether this is due to platform limitations or an implementation inconsistency. Redundant OCSP Requests Despite Stapling: Additionally, we found that Firefox still initiates an OCSP request even when a valid stapled response has already been provided by the server. This behavior not only degrades performance but may also introduce privacy concerns, it contrary to the original privacy and efficiency goals of OCSP Stapling.

Wšykne wótegrona (1)

Denys
Denys
  • Top 10 Contributor
  • Moderator
dalšne nastajenja

Hello,

Thank you very much for reaching out. However, the people who answer questions here, for the most part, are other users volunteering their time (like me), not Mozilla employees or developers.

Please report the found bugs on Bugzilla for Firefox and on GitHub for Firefox for iOS (see File a bug report or feature request for Mozilla products for reference).

Stajśo pšašanje

Musyśo se pla swójogo konta pśizjawiś, aby na pśinoski wótegronił. Pšosym stajśo pšašanje, jolic hyšći njamaśo wužywaŕske konto.