r.e. security.ssl.enable_ocsp_stapling
Hi On a couple of occasions I have been unable to get to a particular website. I can’t recall what the previous problem websites were and those problems were corrected within a couple of days, but the latest (todays) problem is with Amazon.
Here is the error message I received: An error occurred during a connection to www.amazon.de. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
My google searches reveal the following solution (which works for me) from https://support.mozilla.org/en-US/questions/1161980 : You can temporarily disable OCSP Stapling : Type in the address bar about:config (press Enter) (promise to be careful, if asked) Type and look for the preference : security.ssl.enable_ocsp_stapling and set it's value to false It is best to reset this pref via the right-click context menu to true once you are done with this website.
My question is what does security.ssl.enable_ocsp_stapling do and why do I need to disable it to get some something like Amazon to work?
Thanks
Chosen solution
OCSP is a method to check whether a site's SSL certificate has been revoked by its issuer. "Stapling" is a method for the site to deliver proof of validity along with its own certificate. This improves privacy for the user because you don't need to reveal to a third party (the issuer) that you need to know about the site you're trying to use.
As for what suddenly went wrong, I don't know. Starting about 5 hours ago, users have been reporting OCSP errors on various sites that use the Akamai Content Distribution Network:
- www.cbssports.com
- i.ebayimg.com
- tools.usps.com
- www.ask.com
- and now you've identified www.amazon.de
- mentioned on Reddit radar.weather.gov
(You already know this part)
As a temporary workaround, you can disable OCSP stapling. With that change, instead of Firefox expecting sites to provide an OCSP certificate -- a verification that its certificate has not been revoked -- Firefox will query the service provider that signed the certificate. This is good for security but not the best arrangement for privacy, because the service provider knows a computer at your IP address is checking out that site. So after you finish using the site, you can switch the setting back.
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false
Success?
Read this answer in context 👍 1All Replies (3)
Chosen Solution
OCSP is a method to check whether a site's SSL certificate has been revoked by its issuer. "Stapling" is a method for the site to deliver proof of validity along with its own certificate. This improves privacy for the user because you don't need to reveal to a third party (the issuer) that you need to know about the site you're trying to use.
As for what suddenly went wrong, I don't know. Starting about 5 hours ago, users have been reporting OCSP errors on various sites that use the Akamai Content Distribution Network:
- www.cbssports.com
- i.ebayimg.com
- tools.usps.com
- www.ask.com
- and now you've identified www.amazon.de
- mentioned on Reddit radar.weather.gov
(You already know this part)
As a temporary workaround, you can disable OCSP stapling. With that change, instead of Firefox expecting sites to provide an OCSP certificate -- a verification that its certificate has not been revoked -- Firefox will query the service provider that signed the certificate. This is good for security but not the best arrangement for privacy, because the service provider knows a computer at your IP address is checking out that site. So after you finish using the site, you can switch the setting back.
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false
Success?
Modified by jscher2000 - Support Volunteer
Hi Thanks for the reply, the solution works... I just have to remember to switch security.ssl.enable_ocsp_stapling back to True when I have finished. One further thought; I don’t know if it is possible to change the title of this thread, but I think that if others are searching for an answer then my title wouldn’t be helpful (or discovered).
Thanks.
bobsone said
One further thought; I don’t know if it is possible to change the title of this thread, but I think that if others are searching for an answer then my title wouldn’t be helpful (or discovered).
Eight hours have passed and the site seems to be working again, so you probably do not need to mention Amazon DE specifically. The title may be useful to anyone else with a question about that preference.