X
Tap here to go to the mobile version of the site.

Support Forum

SSL revocation

Posted

Hi,

We have revoked a SSL certificate and check all the Firefox options required in order to check the ocsp server for updates. The test has been done on IE 11 and it worked, however, it failed on FF 55.0.3 (32 bits).

Is it something that we missed or is it a bug?

Thank you.

Hi, We have revoked a SSL certificate and check all the Firefox options required in order to check the ocsp server for updates. The test has been done on IE 11 and it worked, however, it failed on FF 55.0.3 (32 bits). Is it something that we missed or is it a bug? Thank you.

Chosen solution

The source file indicates:

  * ... The possible
  * values for "security.OCSP.enabled" are:
  * 0: fetching is disabled
  * 1: fetch for all certificates
  * 2: fetch only for EV certificates

It usually is safest to right-click > Reset if you want to test the default behavior. You might also consider:

New Profile Test

This takes about 3 minutes, plus the time to test the site.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the Create a New Profile button, then click Next. Assign a name like Sept2017, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but I think those are still "under construction" so please ignore them.)

Firefox should exit and then start up using the new profile, which will just look brand new.

Does OCSP checking work any better in the new profile?

When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.

Read this answer in context 1
Quote

Additional System Details

Installed Plug-ins

  • Shockwave Flash 26.0 r0

Application

  • Firefox 55.0.3
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
  • Support URL: https://support.mozilla.org/1/firefox/55.0.3/WINNT/fr/

Extensions

  • Calomel SSL Validation 0.82 (calomelsslvalidation@calomel.org)
  • CheckMyHTTPS 4.1.1 (info@checkmyhttps.net)
  • eCleaner (Forget Button) 0.1.4 ({13ea5d17-aa13-474a-b8cd-891073b53c66})
  • SSLPersonas 2.3.2 (sslPersonas@tobitobi.de)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 4600
  • adapterDescription2:
  • adapterDeviceID: 0x0412
  • adapterDeviceID2:
  • adapterDrivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterSubsysID: 00000000
  • adapterSubsysID2:
  • adapterVendorID: 0x8086
  • adapterVendorID2:
  • crashGuards: []
  • currentAudioBackend: wasapi
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.22164
  • driverDate: 1-29-2014
  • driverDate2:
  • driverVersion: 10.18.10.3412
  • driverVersion2:
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}, {u'status': u'available', u'description': u'GPU Process', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'GPU_PROCESS'}, {u'status': u'unavailable', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}], u'name': u'WEBRENDER'}]}
  • info: {u'AzureContentBackend (UI Process)': u'skia', u'AzureCanvasBackend (UI Process)': u'skia', u'AzureFallbackCanvasBackend (UI Process)': u'cairo', u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'Direct2D 1.1', u'AzureContentBackend': u'Direct2D 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webgl1DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc MOZ_WEBGL_depth_texture
  • webgl1Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D11 vs_5_0 ps_5_0)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.dec065540d5f)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000007f7f) EGL_VERSION: 1.4 (ANGLE 2.1.0.dec065540d5f) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • webgl2DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query MOZ_debug OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc
  • webgl2Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D11 vs_5_0 ps_5_0)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.dec065540d5f)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000007f7f) EGL_VERSION: 1.4 (ANGLE 2.1.0.dec065540d5f) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No

Question owner

The same test was succesful on Chrome.

The same test was succesful on Chrome.
Was this helpful to you?
Quote
cor-el
  • Top 10 Contributor
  • Moderator
15577 solutions 141049 answers

Do you mean that Firefox is accepting a certificate that is revoked?

Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?

What do you see in the Certificate Manager?

You can open the Certificate Manager and go to the Servers tab. The Servers tab has an "Add Exception" to open the "Add Security Exception" window. You can type/paste the domain in the location field and click "Get Certificate" to retrieve the certificate and click the "View" button to inspect the version.

Do you mean that Firefox is accepting a certificate that is revoked? Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)? What do you see in the Certificate Manager? You can open the Certificate Manager and go to the Servers tab. The Servers tab has an "Add Exception" to open the "Add Security Exception" window. You can type/paste the domain in the location field and click "Get Certificate" to retrieve the certificate and click the "View" button to inspect the version.
Was this helpful to you?
Quote

Question owner

That's right, we have revoked the certificate, actually IE and Chrome display an error message, but not FF.

I have tried to modify the options using about:config, however no changes occured.

What would be the problem, as in theory FF should check the OCSP server in order to validate the certificate.

That's right, we have revoked the certificate, actually IE and Chrome display an error message, but not FF. I have tried to modify the options using about:config, however no changes occured. What would be the problem, as in theory FF should check the OCSP server in order to validate the certificate.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
6579 solutions 53777 answers

What if you check here: https://www.ssllabs.com/ssltest/

I do think that Firefox has a preference for OCSP stapling. If the server is sending a stapled OCSP response, Firefox might not separately check with the issuer. Could that be the problem?

What if you check here: https://www.ssllabs.com/ssltest/ I do think that Firefox has a preference for OCSP stapling. If the server is sending a stapled OCSP response, Firefox might not separately check with the issuer. Could that be the problem?
Was this helpful to you?
Quote

Question owner

Basically, we are the issuer of the certificate. When we revoke it, as CA authority, all the browsers aknowlegde it, but Firefox.

The following options are on:

security.ssl.enable_ocsp_must_staple;true security.ssl.enable_ocsp_stapling;true.

Also, for the other ones:

security.OCSP.enabled;0 security.OCSP.GET.enabled;false

I have also tried to set them @ 1 or 2 and true...

The checking OCSP option is checked as well, so basically all the conditions are fulfilled.

The result is that FF is acting as no revocation has been done, so it looks like no ocsp checking has been done.

Thanks.

Basically, we are the issuer of the certificate. When we revoke it, as CA authority, all the browsers aknowlegde it, but Firefox. The following options are on: security.ssl.enable_ocsp_must_staple;true security.ssl.enable_ocsp_stapling;true. Also, for the other ones: security.OCSP.enabled;0 security.OCSP.GET.enabled;false I have also tried to set them @ 1 or 2 and true... The checking OCSP option is checked as well, so basically all the conditions are fulfilled. The result is that FF is acting as no revocation has been done, so it looks like no ocsp checking has been done. Thanks.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
6579 solutions 53777 answers

Chosen Solution

The source file indicates:

  * ... The possible
  * values for "security.OCSP.enabled" are:
  * 0: fetching is disabled
  * 1: fetch for all certificates
  * 2: fetch only for EV certificates

It usually is safest to right-click > Reset if you want to test the default behavior. You might also consider:

New Profile Test

This takes about 3 minutes, plus the time to test the site.

Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.

Click the Create a New Profile button, then click Next. Assign a name like Sept2017, ignore the option to relocate the profile folder, and click the Finish button.

After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but I think those are still "under construction" so please ignore them.)

Firefox should exit and then start up using the new profile, which will just look brand new.

Does OCSP checking work any better in the new profile?

When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.

The source file indicates: * ... The possible * values for "security.OCSP.enabled" are: * 0: fetching is disabled * 1: fetch for all certificates * 2: fetch only for EV certificates It usually is safest to right-click > Reset if you want to test the default behavior. You might also consider: '''New Profile Test''' This takes about 3 minutes, plus the time to test the site. Inside Firefox, type or paste '''about:profiles''' in the address bar and press Enter/Return to load it. Click the Create a New Profile button, then click Next. Assign a name like Sept2017, ignore the option to relocate the profile folder, and click the Finish button. After creating the profile, scroll down to it and click the '''Set as default profile''' button below that profile, then scroll back up and click the '''Restart normally''' button. (There are some other buttons, but I think those are still "under construction" so please ignore them.) Firefox should exit and then start up using the new profile, which will just look brand new. ''Does OCSP checking work any better in the new profile?'' When you are done with the experiment, open the about:profiles page again, click the '''Set as default profile''' button for your normal profile, then click the '''Restart normally''' button to get back to it.
Was this helpful to you? 1
Quote

Question owner

Thank you, the problem has been solved, however, some previous versions don't have the about:profiles option.

Is there any other way to do it?

Thanks again!

Thank you, the problem has been solved, however, some previous versions don't have the about:profiles option. Is there any other way to do it? Thanks again!
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
6579 solutions 53777 answers

about:profiles became functional in Firefox 47, so it is available in all currently supported versions of Firefox.

In earlier versions, it was necessary to exit out of Firefox and start up in the Profile Manager dialog. See: Use the Profile Manager to create and remove Firefox profiles.

about:profiles became functional in Firefox 47, so it is available in all currently supported versions of Firefox. In earlier versions, it was necessary to exit out of Firefox and start up in the Profile Manager dialog. See: [[Use the Profile Manager to create and remove Firefox profiles]].
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.