Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Automatically Re-Check the OCSP-Status of a certifiacte when the OCSP-Responder was offline

  • No replies
  • 1 has this problem
  • 5 views
more options

Hello,

I recently tested the OCSP-status feature aka "security.OCSP.require".

I have a PKI setup, where two different OCSP-Responders exist in different geo-locations to provide high availability.

The TLS-certificate I used for testing, had two entries under the AIA extension, one for each responder. I then went ahead and shut down the first responder in that list.

But instead of asking the second responder for a certificate status, Firefox threw an error page and refused to connect to the website. Furthermore, even with the "ocsp_cache" feature disabled, FF did not retry to connect to the first OCSP-Responder even after it was reachable again. I saw no tcp-traffic whatsoever when I reloaded the web-page. I had to restart the whole browser for it to work again.

Now my question is this:

- Is the OCSP Feature broken in FF 128.2ESR or am I using it incorrectly?

Thank you for your advice!

Regards FSeifer

Hello, I recently tested the OCSP-status feature aka "security.OCSP.require". I have a PKI setup, where two different OCSP-Responders exist in different geo-locations to provide high availability. The TLS-certificate I used for testing, had two entries under the AIA extension, one for each responder. I then went ahead and shut down the first responder in that list. But instead of asking the second responder for a certificate status, Firefox threw an error page and refused to connect to the website. Furthermore, even with the "ocsp_cache" feature disabled, FF did not retry to connect to the first OCSP-Responder even after it was reachable again. I saw no tcp-traffic whatsoever when I reloaded the web-page. I had to restart the whole browser for it to work again. Now my question is this: - Is the OCSP Feature broken in FF 128.2ESR or am I using it incorrectly? Thank you for your advice! Regards FSeifer

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.