After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 689293 - (nls1729) OCSP error to https:// all gnome ssl links
(nls1729)
OCSP error to https:// all gnome ssl links
Status: RESOLVED FIXED
Product: sysadmin
Classification: Infrastructure
Component: Certificates
unspecified
Other Linux
: Normal major
: ---
Assigned To: GNOME Sysadmins
GNOME Sysadmins
Depends on:
Blocks:
 
 
Reported: 2012-11-29 16:35 UTC by Norman Smith
Modified: 2012-11-29 19:39 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Norman Smith 2012-11-29 16:35:58 UTC 
OCSP error to https://extensions.gnome.org etc...

This started failing yesterday.

Your SSL Certificate includes an OCSP URI in the Authority Information Access section.

Whoever manages your secure websites needs to contact the Certificate vendor and find out why their server is failing to verify.  

The verification option can be turned off in a web browser but it is a foolish thing to do.  OCSP verification is optional, but if you pay for a certificate that contains an OCSP URI it should work.  It has worked in the past.  If OCSP fails you do not know the certificate you received for the SSL connection is valid.  In other words the connection is not secure.   

I emailed your security and received a reply with the following which makes no sense to me. "enhancement request"???
  
> Feel free to file an enhancement request in GNOME Bugzilla against the
> "sysadmin" product in case there is no report yet.

You have broken infrastructure.
Comment 1 Owen Taylor 2012-11-29 16:45:18 UTC 
This seems to have something to do with your browser, or perhaps your local networking configuration. Can you provide more information about how you are obtaining this error? (What operating system, browser, version, etc.)
Comment 2 Norman Smith 2012-11-29 17:17:33 UTC 
I am using Firefox on Fedora 17.  This problem is usually a broken certificate vendor's OCSP server or error in the Website's certificate.  I don't think it is a certificate problem but only the vendor's customer can report the problem concerning an OCSP server based on my prior experience with this kind of issue.

In my browser I have "When an OCSP server connection fails, treat the certificate as invalid" checked.

Before I tried to report this problem, I verified a connection to a U.S. Treasury website that has OCSP set in it's certificate and it works fine from my location.

Most people turn this check off in their browser because they don't understand what the OCSP function does.  You don't know if the certificate is revoked without this function if OCSP is provided on the certificate.

I keep it enabled except when I an trouble shooting this kind of problem.

SSL is only as good as the proper operation of the infrastructure that supports it.  Security with holes is no security at all.

I always know that I can be wrong but I don't think I am in this case.

You should be able to duplicate this with a Firefox browser:

Edit->Preferences->Advanced->Encryption->Validation->
Check Use the Online ... (OCSP)
Pick  Validate a certificate if it specifies an OCSP server
Check When an OCSP server connection fails, treat the certificate as invalid

Sorry if my bluntness has offended anyone.
Comment 3 Andrea Veri 2012-11-29 17:32:22 UTC 
Thanks for your report. I am getting the same behaviour as well on my machine, apparently the OSCP listed on our certificates is down [1]. I'll ping them as soon as possible to have this issue sorted out.

[1] http://ocsp.startssl.com/sub/class2/server/ca
Comment 4 Andrea Veri 2012-11-29 19:39:03 UTC 
Everything is back to normality. Anyway it's not the GNOME Infrastructure being broken, it was just a web server overload of our CA. It happens.