Windows 10 reached EOS (end of support) on October 14, 2025. If you are on Windows 10, see this article.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Ce sujet de discussion a été archivé. Veuillez poser une nouvelle question si vous avez besoin d’aide.

Automatically Re-Check the OCSP-Status of a certifiacte when the OCSP-Responder was offline

  • Aucune réponse
  • 1 a ce problème
  • 16 vues
Florian Seifer
Florian Seifer

Hello,

I recently tested the OCSP-status feature aka "security.OCSP.require".

I have a PKI setup, where two different OCSP-Responders exist in different geo-locations to provide high availability.

The TLS-certificate I used for testing, had two entries under the AIA extension, one for each responder. I then went ahead and shut down the first responder in that list.

But instead of asking the second responder for a certificate status, Firefox threw an error page and refused to connect to the website. Furthermore, even with the "ocsp_cache" feature disabled, FF did not retry to connect to the first OCSP-Responder even after it was reachable again. I saw no tcp-traffic whatsoever when I reloaded the web-page. I had to restart the whole browser for it to work again.

Now my question is this:

- Is the OCSP Feature broken in FF 128.2ESR or am I using it incorrectly?

Thank you for your advice!

Regards FSeifer

Hello, I recently tested the OCSP-status feature aka "security.OCSP.require". I have a PKI setup, where two different OCSP-Responders exist in different geo-locations to provide high availability. The TLS-certificate I used for testing, had two entries under the AIA extension, one for each responder. I then went ahead and shut down the first responder in that list. But instead of asking the second responder for a certificate status, Firefox threw an error page and refused to connect to the website. Furthermore, even with the "ocsp_cache" feature disabled, FF did not retry to connect to the first OCSP-Responder even after it was reachable again. I saw no tcp-traffic whatsoever when I reloaded the web-page. I had to restart the whole browser for it to work again. Now my question is this: - Is the OCSP Feature broken in FF 128.2ESR or am I using it incorrectly? Thank you for your advice! Regards FSeifer