This thread was archived. Please ask a new question if you need help.
Secure Connection Failed" (Error Code:sec_error_ocsp_unknown_cert)
Just since 95.0 update Im getting ""Secure Connection Failed" (Error Code:sec_error_ocsp_unknown_cert)" when trying to connect to some sites, the most recent is "https://www.microsoft.com". I have set security.ssl.enable_ocsp_stapling to false, is there a planed fix for this, googling shows that its become a issue recently. Thank Al
All Replies (8)
What security software are you running?
This is something that the website needs to fix. Browsers like Google Chrome do not check the OCSP response as strict as Firefox does (if at all) and aren't affected if the OCSP response send via OCSP stapling is broken or invalid, but Firefox considers this as a security breach and refuses to access the website. This might only be an issue with a specific mirror server and others might not be affected, so I'm not sure whether MS is already aware.
jonzn4SUSE - Defender and malwarebytes on a windows 11 PC and defender on my windows 10 laptop both having Firefox issues with Microsoft as well as at least one other site (The Opensky Network, which is where this all started)
Modified by 1aught
Users have been reporting OCSP-related issues with various Microsoft sites since last Friday. I haven't had an issue with other addresses mentioned but with the www site I currently get:
An error occurred during a connection to www.microsoft.com. The OCSP response does not include a status for the certificate being verified. Error code: MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING
The inconsistency among users suggests that just a few boxes in the Akamai Content Distribution Network need to be fixed.
Last night, I could open links on docs.microsoft.com but now I get the MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING error there while the www site opens without drama (on 18.104.22.168). Frustrating.
The problem has been identified as Firefox not supporting SHA-2 hashes in certificate IDs in OCSP certificates. Apparently some of the OCSP certificates in the Microsoft/Akamai network use SHA-2 hashes that way.
A patch was submitted a few hours ago that needs to undergo testing, and assuming it doesn't cause other problems, it should be included in the next update. I don't have an idea of when that might be released.
Just a quick note to ask you to look out for an update to Firefox that should be with you very soon that should resolve this issue.
If you have used a temporary workaround in about:config, I recomend that you reverse this measure at this time.
You can update to 95.0.1 via "Help -> About Firefox" to get a fix for this issue.
If you have modified security.ssl.enable_ocsp_stapling on the about:config page then reset the pref to re-enable OCSP.