GNOME Bugzilla – Bug 689293
OCSP error to https:// all gnome ssl links
Last modified: 2012-11-29 19:39:03 UTC
OCSP error to https://extensions.gnome.org etc...
This started failing yesterday.
Your SSL Certificate includes an OCSP URI in the Authority Information Access section.
Whoever manages your secure websites needs to contact the Certificate vendor and find out why their server is failing to verify.
The verification option can be turned off in a web browser but it is a foolish thing to do. OCSP verification is optional, but if you pay for a certificate that contains an OCSP URI it should work. It has worked in the past. If OCSP fails you do not know the certificate you received for the SSL connection is valid. In other words the connection is not secure.
I emailed your security and received a reply with the following which makes no sense to me. "enhancement request"???
> Feel free to file an enhancement request in GNOME Bugzilla against the
> "sysadmin" product in case there is no report yet.
You have broken infrastructure.
This seems to have something to do with your browser, or perhaps your local networking configuration. Can you provide more information about how you are obtaining this error? (What operating system, browser, version, etc.)
I am using Firefox on Fedora 17. This problem is usually a broken certificate vendor's OCSP server or error in the Website's certificate. I don't think it is a certificate problem but only the vendor's customer can report the problem concerning an OCSP server based on my prior experience with this kind of issue.
In my browser I have "When an OCSP server connection fails, treat the certificate as invalid" checked.
Before I tried to report this problem, I verified a connection to a U.S. Treasury website that has OCSP set in it's certificate and it works fine from my location.
Most people turn this check off in their browser because they don't understand what the OCSP function does. You don't know if the certificate is revoked without this function if OCSP is provided on the certificate.
I keep it enabled except when I an trouble shooting this kind of problem.
SSL is only as good as the proper operation of the infrastructure that supports it. Security with holes is no security at all.
I always know that I can be wrong but I don't think I am in this case.
You should be able to duplicate this with a Firefox browser:
Check Use the Online ... (OCSP)
Pick Validate a certificate if it specifies an OCSP server
Check When an OCSP server connection fails, treat the certificate as invalid
Sorry if my bluntness has offended anyone.
Thanks for your report. I am getting the same behaviour as well on my machine, apparently the OSCP listed on our certificates is down . I'll ping them as soon as possible to have this issue sorted out.
Everything is back to normality. Anyway it's not the GNOME Infrastructure being broken, it was just a web server overload of our CA. It happens.