Multiple Sites Blocked with "SEC_ERROR_REVOKED_CERTIFICATE", but work fine with Google Chrome
In the last few days, I started having multiple web sites blocked with "SEC_ERROR_REVOKED_CERTIFICATE". They work fine with Google Chrome and Microsoft Edge, and I trust them. One example is http://www.wumb.org, a public radio station. I found nothing in Firefox Help to bypass this security flag and go to the page.
If there is a work-around, please make it show up when searching for SEC_ERROR_REVOKED_CERTIFICATE in Firefox Help. If there is no work-around, please add one. Otherwise, Firefox, my favorite browser, will quickly get a bad reputation.
Thanks,
Eliot Mayer Belmont, MA, USA
Gekozen oplossing
Eliot Mayer said
TyDraniu said
2. The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?
On the settings page, there is a tiny search box at the top. Type or paste ocsp in the box to filter the page and find that checkbox.
Dit antwoord in context lezen 👍 1Alle antwoorden (10)
- Can you check the revocation status on this page? https://certificate.revocationcheck.com/wumb.org
- The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.
Hi TyDraniu,
Thank you for trying to help. I'm not there yet:
1. I tried your revocationcheck link and got this: Revocation check via OCSP and CRL for wumb.org failed Sorry, the request for wumb.org could not be completed... We could not load the certificate for wumb.org, it might not exist or we could not reach the server, complete the TLS handshake, etc.
2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?
The certificate shows as revoked on this test site: https://www.ssllabs.com/ssltest/analyze.html?d=www.wumb.org&latest
This seems to be surprisingly frequent with Starfield/GoDaddy certificates and the site owners may not realize it if they never visit their site in a browser that does OCSP lookups. (Chrome uses a cached list called a CRL, so there are delays in when it recognizes a revoked certificate.)
I suggest informing the site of the problem.
Gekozen oplossing
Eliot Mayer said
TyDraniu said
2. The work-around will lower your security, but for a moment you can try to turn off the Query OCSP responder servers to confirm the current validity of certificates option.2. What is the procedure to "try to turn off the Query OCSP responder servers to confirm the current validity of certificates option."?
On the settings page, there is a tiny search box at the top. Type or paste ocsp in the box to filter the page and find that checkbox.
What works for me in this case is:
- about:config => security.OCSP.enabled = 2 (0: disable; 1: EV and DV certs; 2:EV certs)
You can open the about:config page via the location/address bar. You can click the button to "Accept the Risk and Continue".
Another test page that also shows the certificate as revoked:
- https://decoder.link/
I did the "oscp" unchecking. It works, but I understand that this lowers security. I also wrote to the folks at wumb.org and passed along your info. If they tell me that the certificate is updated, I'll try re-enabling "oscp" (if it doesn't mess up other sites that I trust). Thanks for helping!
Best is to set security.OCSP.enabled = 2 to have at least OCSP enabled for EV (Extended_Validation) certificates used by larger companies and not disable OCSP completely by setting security.OCSP.enabled = 0 If you do not visit this website too often then you can consider to leave the pref default and only disable OCSP if you visit this website. I would in this case use a separate profile with lower OCSP protection for cases like this.
See "Creating a profile":
Hi cor-el.
What is the procedure to set security.OCSP.enabled = 2? I only see a yes/no checkbox "Query OCSP responder servers to confirm the current validity of certificate" in the Firefox Setting.
Thanks.
If you use that checkbox in Settings and you only disable OCSP temporarily when you need to visit this website then you should be OK, but if you choose to disable OCSP all the time until the website fixes their certificate then best is to set security.OCSP.enabled = 2 on the about:config page.
You can open the about:config page via the location/address bar. You can click the button to "Accept the Risk and Continue". You can paste security.OCSP.enabled in its find bar to quickly locate this pref and double-click this line and change the value to 2 and press the blue OK button at the far right to confirm the change.
Bewerkt door cor-el op
Thanks. I used your info to set security.OCSP.enabled = 2.