Automatically Re-Check the OCSP-Status of a certifiacte when the OCSP-Responder was offline
Hello,
I recently tested the OCSP-status feature aka "security.OCSP.require".
I have a PKI setup, where two different OCSP-Responders exist in different geo-locations to provide high availability.
The TLS-certificate I used for testing, had two entries under the AIA extension, one for each responder. I then went ahead and shut down the first responder in that list.
But instead of asking the second responder for a certificate status, Firefox threw an error page and refused to connect to the website. Furthermore, even with the "ocsp_cache" feature disabled, FF did not retry to connect to the first OCSP-Responder even after it was reachable again. I saw no tcp-traffic whatsoever when I reloaded the web-page. I had to restart the whole browser for it to work again.
Now my question is this:
- Is the OCSP Feature broken in FF 128.2ESR or am I using it incorrectly?
Thank you for your advice!
Regards FSeifer