Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

how can I permanently disable OCSP checking?

more options

I use StartSSL to generate free certificates for my personal sites. Occasionally firefox has a heart attack because it can't verify a signature or whatever. I really, really, really don't care, and I would like to disable all OCSP checking in my browser. I've tried toggling the option under Options->Advanced->Certificates for "Query OCSP responder servers to confirm the current validity of certificates" but that doesn't seem to make any difference. I know that my certificate is valid, as it was working just fine for the past week and is valid until 2019. It also works in every other browser on my computer, just not FF. How can I just completely stop OCSP from doing any checks, since that option doesn't fix the problem? Is there something in about:config I can toggle or set?

for search engine purposes, since I couldn't find a answer to this exact question using these search terms:

OCSP response has an invalid signature. Error code: SEC_ERROR_OCSP_BAD_SIGNATURE

I use StartSSL to generate free certificates for my personal sites. Occasionally firefox has a heart attack because it can't verify a signature or whatever. I really, really, really don't care, and I would like to disable all OCSP checking in my browser. I've tried toggling the option under Options->Advanced->Certificates for "Query OCSP responder servers to confirm the current validity of certificates" but that doesn't seem to make any difference. I know that my certificate is valid, as it was working just fine for the past week and is valid until 2019. It also works in every other browser on my computer, just not FF. How can I just completely stop OCSP from doing any checks, since that option doesn't fix the problem? Is there something in about:config I can toggle or set? for search engine purposes, since I couldn't find a answer to this exact question using these search terms: OCSP response has an invalid signature. Error code: SEC_ERROR_OCSP_BAD_SIGNATURE

Chosen solution

I have not seen the "SEC_ERROR_OCSP_BAD_SIGNATURE" code before. Perhaps your web server is configured to use "OCSP stapling" and is sending an incorrect or out-of-date OCSP response along with the certificate? You can use the following diagnostic page for public sites to see whether stapling is enabled:

https://www.ssllabs.com/ssltest/index.html


You could try disabling stapling support to see whether that changes anything:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false

Does that make any difference?

Read this answer in context 👍 2

All Replies (5)

more options

Chosen Solution

I have not seen the "SEC_ERROR_OCSP_BAD_SIGNATURE" code before. Perhaps your web server is configured to use "OCSP stapling" and is sending an incorrect or out-of-date OCSP response along with the certificate? You can use the following diagnostic page for public sites to see whether stapling is enabled:

https://www.ssllabs.com/ssltest/index.html


You could try disabling stapling support to see whether that changes anything:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false

Does that make any difference?

more options

jscher2000 said

You could try disabling stapling support to see whether that changes anything: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste ocsp and pause while the list is filtered (3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false Does that make any difference?

Disabling stapling seemed to do the trick. Thanks!

more options

If it's a public site, you may need to fix the bundle file on the server or change your server configuration to NOT staple the OCSP response. But if you are the only one who uses the sites, I guess that's not necessary.

more options

It's on shared hosting, so I have minimal control over what I can do about disabling stapling on the server side. I don't see the problem happening in IE or Chrome, and Firefox has a dwindling user base anyway, so I am not too concerned about access. I'll see what my hosting provider can do about disabling it, but at least I know of a work around for FF for now to make it behave like most other browsers.

Thanks again

more options

j3rk said

I don't see the problem happening in IE or Chrome, and Firefox has a dwindling user base anyway, so I am not too concerned about access.

Blocking Firefox users will certainly fulfill that prophecy. ;-)