Jump to content
Sign in to follow this  
karlos

Intermittent site problems

Recommended Posts

35 minutes ago, T8493 said:

It looks like only firefox is affected and maybe it is the problem with the firefox implementation.

well it worked yesterday and I don't think my firefox version changed

 

Share this post


Link to post
Share on other sites

You can blame it on either side. My understanding is that if the OCSP servers gives a "try again later response", Apache stupidly staples that to its replies so that the browser gets it.

OCSP stapling is intended as a form of privacy enhancement. The idea is that if a browser sees a key on an SSL connection, it needs to check if it was revoked. If the browser just connects to the OCSP provider, that could clue anyone passively intercepting the traffic into knowing what CA signed the key, which could compromise privacy.

Firefox assumes the response was only stapled if it was important that the browser not make its own connection to the CA's OCSP server. So when it sees a stapled "try again later" response, it reports the error. This behavior can be disabled from about:config by disabling stapling entirely in the browser which you can do by changing security.ssl.enable_ocsp_stapling to false.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×