Avatar for Username

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

The OCSP response contains out-of-date information...

queryingquail
queryingquail
more options

Our Mozilla based clients are getting the following responses when browsing to a myriad of sites: The OCSP response contains out-of-date information. Error code: SEC_ERROR_OCSP_OLD_RESPONSE

In looking at the session, it appears that the OCSP response in question is a stapled one which is NOT out of date. Turning off the security.ssl.enable_ocsp_stapling setting (set to false) in the about:config for Thunderbird and for FF works to solve this. However, we have no idea why the error is happening based on what we see from ocsp and the session. This _seems_ like a bug.

This started happening within the past few days. Prior to that, there was no issue like this seen. We've used OCSP for about 6 years, and there's nothing new for the CAs we use during the problem window.

I'd like to know what the trigger for this error is: if we can find the actual value being flagged as old. Again, in the capture of the session, the response is still valid for several more days.

Thanks much,

QQ

Our Mozilla based clients are getting the following responses when browsing to a myriad of sites: The OCSP response contains out-of-date information. Error code: SEC_ERROR_OCSP_OLD_RESPONSE In looking at the session, it appears that the OCSP response in question is a stapled one which is NOT out of date. Turning off the security.ssl.enable_ocsp_stapling setting (set to false) in the about:config for Thunderbird and for FF works to solve this. However, we have no idea why the error is happening based on what we see from ocsp and the session. This _seems_ like a bug. This started happening within the past few days. Prior to that, there was no issue like this seen. We've used OCSP for about 6 years, and there's nothing new for the CAs we use during the problem window. I'd like to know what the trigger for this error is: if we can find the actual value being flagged as old. Again, in the capture of the session, the response is still valid for several more days. Thanks much, QQ

All Replies (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

You can check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.

queryingquail
queryingquail Question owner
more options

Thank you for the reply. We've validated the time stamps on the clients, the servers, and the ocsp systems. That is not, seemingly, the problem.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Can you replicate this problem with Firefox?

Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?

queryingquail
queryingquail Question owner
more options

Presently the only things that we've seen this on are corporate URLs. We don't have anything publicly accessible unfortunately. I recognize this limits the ability to validate.

Essentially, all I can offer is that for a Server Hello frame where ocsp stapling is enabled in the browser, the stapled response (which looks good and valid) seems to be causing this error. When we disable ocsp stapling in about:config (just the one true/false setting), the Server Hello frame no longer includes the stapled response and the connection continues.

In both cases, the client is performing other ocsp validations on the certs during the session (so stapling _really_ is doing nothing but breaking things for us here). But the responses for the individual ocsp requests have the same time frames for validity (thisUpdate, nextUpdate, nextPublish).