The OCSP response contains out-of-date information...
Our Mozilla based clients are getting the following responses when browsing to a myriad of sites: The OCSP response contains out-of-date information. Error code: SEC_ERROR_OCSP_OLD_RESPONSE
In looking at the session, it appears that the OCSP response in question is a stapled one which is NOT out of date. Turning off the security.ssl.enable_ocsp_stapling setting (set to false) in the about:config for Thunderbird and for FF works to solve this. However, we have no idea why the error is happening based on what we see from ocsp and the session. This _seems_ like a bug.
This started happening within the past few days. Prior to that, there was no issue like this seen. We've used OCSP for about 6 years, and there's nothing new for the CAs we use during the problem window.
I'd like to know what the trigger for this error is: if we can find the actual value being flagged as old. Again, in the capture of the session, the response is still valid for several more days.
Thanks much,
ყველა პასუხი (4)
You can check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
Thank you for the reply. We've validated the time stamps on the clients, the servers, and the ocsp systems. That is not, seemingly, the problem.
Can you replicate this problem with Firefox?
Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?
Presently the only things that we've seen this on are corporate URLs. We don't have anything publicly accessible unfortunately. I recognize this limits the ability to validate.
Essentially, all I can offer is that for a Server Hello frame where ocsp stapling is enabled in the browser, the stapled response (which looks good and valid) seems to be causing this error. When we disable ocsp stapling in about:config (just the one true/false setting), the Server Hello frame no longer includes the stapled response and the connection continues.
In both cases, the client is performing other ocsp validations on the certs during the session (so stapling _really_ is doing nothing but breaking things for us here). But the responses for the individual ocsp requests have the same time frames for validity (thisUpdate, nextUpdate, nextPublish).