Also brokenness at the site, sending a "trylater" stapled OCSP response:
$ openssl s_client -connect a2v.stj.jus.br:443 -servername a2v.stj.jus.br
-status
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA
- SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.stj.jus.br
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: trylater (0x3)
======================================
[...]
There are plans around making OCSP checks less strict in Firefox in the
future (other browsers either don't check OCSP or connect anyway in failure
cases), see https://bugzilla.mozilla.org/show_bug.cgi?id=1368868
Cheers,
Julien
On Mon, Oct 23, 2017 at 9:21 PM, Diego Viegas <[email protected]>
wrote:
> Hi,
>
> +1
>
> We also have this ongoing problem in a Brazilian government/justice site,
> leading to the need to disable OCSP on Firefox ESR, latest version, Windows
> and Linux.
>
> Affected site is:
>
> https://a2v.stj.jus.br/peticionamento-cliente/
>
> In the case we need FF (can't use Chrome) due to Java applet.
>
> --
> Diego Viégas
> dotPro Tecnologia e Comunicação
> [email protected]
> (61) 4042-2024
>
> 2017-10-23 17:12 GMT-02:00 Madsen, Stuart <[email protected]>:
>
>> Using Microsoft Edge works fine with no problem at all accessing login
>> page of ssa.gov site! But I am on my work network, and not on my home
>> network. One other fact, I am using windows 10 at work plus Edge, but
>> vista at home and IE. But according to Microsoft, vista has native support
>> for both CRL and OCSP as a method of determining certificate status.
>>
>>
>>
>> -----Original Message-----
>> From: Enterprise [mailto:[email protected]] On Behalf Of
>> [email protected]
>> Sent: Monday, October 23, 2017 1:53 PM
>> To: [email protected]
>> Subject: Re: [Mozilla Enterprise] OCSP issues with Firefox?
>>
>> On 10/23/2017 09:04 AM, Anvar Kuchkartaev [Masked] wrote:
>> > Preview: _______________________________________________ Enterprise ma
>> > This email is forwarded from a MASKED EMAIL you created using Blur
>> > <https://na01.safelinks.protection.outlook.com/?url=https%
>> 3A%2F%2Fdnt.abine.com%2F%23help%2Ffaq%2Ffaq-whataremask
>> edemails&data=01%7C01%7CStuart_Madsen%40baylor.edu%7
>> Ce9a45c04fe524c891a9d08d51a474341%7C22d2fb35256a459bbcf4dc23
>> d42dc0a4%7C1&sdata=MLiXSiEXqsja57SfdTIr5CwW4Fvq1svRW7W2saSIM
>> lw%3D&reserved=0>.
>> > IF THIS IS SPAM, CLICK HERE TO BLOCK.
>> > <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdnt.
>> > abine.com%2F%23%2Fblock_email%2Ffbf1e8c7%40opayq.com%2FFWD-737RBYLMHNM
>> > CSYBCKDUAL6ACTADWAMNBOYSVQK2AKMAGM7BEGAVDAI2OUB3EAABA%40opayq.com&data
>> > =01%7C01%7CStuart_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d08d51a4743
>> > 41%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=DMD3JTga6nHyD4r686DSmo
>> > ZWQVT3aZaSqw5Mw%2BeI8A4%3D&reserved=0>
>> >
>> > Want to shop safely and privately online? Get Blur Premium
>> > <https://na01.safelinks.protection.outlook.com/?url=https%
>> 3A%2F%2Fdnt.abine.com%2F%23premium&data=01%7C01%7CStuar
>> t_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d08d51a474341%7C2
>> 2d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=meItwj8XDiZkm%2Fjv
>> 7GeUL0CuSRV%2Bkhd4adHuN8Ma448%3D&reserved=0>.
>> >
>> > It is a very strange issue. Chrome and IE might be using ocsp from its
>> cache.
>> > Have you tried to connect to that websites from another network?
>>
>> AFAIK, Chrome uses Google servers to do OSCP -- look up CRL Sets. I
>> think IE treats the failure in question the same as a network error and
>> connects anyway.
>>
>> > Anvar Kuchkartaev
>> > [email protected]
>> > *From: *Robert A Vipperman
>> > *Sent: *martes, 17 de octubre de 2017 01:58 p.m.
>> > *To: *[email protected]
>> > *Subject: *[Mozilla Enterprise] OCSP issues with Firefox?
>> >
>> >
>> > All,
>> >
>> > We started having issues in the last few days with certain internal
>> > https sites giving the error below. Has anyone else experienced this
>> > issue? These sites load with no issues in IE and Chrome.
>> >
>> > Secure Connection Failed
>> >
>> > An error occurred during a connection to xxx.xxx.com. Invalid OCSP
>> > signing certificate in OCSP response. Error code:
>> > SEC_ERROR_OCSP_INVALID_SIGNING_CERT
>> >
>> > The page you are trying to view cannot be shown because the
>> > authenticity of the received data could not be verified.
>> >
>> > Please contact the website owners to inform them of this problem.
>> >
>> > _________________________
>> >
>> > Robert Vipperman
>> >
>> > Dominion Resource Services, Inc.
>> >
>> > [email protected]
>> >
>> > _________________________
>> >
>> > ----------------------------------------------------------------------
>> > ----------
>> >
>> > *CONFIDENTIALITY NOTICE:* This electronic message contains information
>> > which may be legally confidential and or privileged and does not in
>> > any case represent a firm ENERGY COMMODITY bid or offer relating
>> > thereto which binds the sender without an additional express written
>> > confirmation to that effect. The information is intended solely for
>> > the individual or entity named above and access by anyone else is
>> > unauthorized. If you are not the intended recipient, any disclosure,
>> > copying, distribution, or use of the contents of this information is
>> > prohibited and may be unlawful. If you have received this electronic
>> > transmission in error, please reply immediately to the sender that you
>> have received the message in error, and delete it. Thank you.
>> >
>> >
>> >
>> >
>> >
>> > -------------------------Blur-------------------------
>> > This email is forwarded from a MASKED EMAIL you created using Blur. (
>> https://na01.safelinks.protection.outlook.com/?url=https%
>> 3A%2F%2Fdnt.abine.com%2F%23help%2Ffaq%2Ffaq-whataremask
>> edemails&data=01%7C01%7CStuart_Madsen%40baylor.edu%7
>> Ce9a45c04fe524c891a9d08d51a474341%7C22d2fb35256a459bbcf4dc23
>> d42dc0a4%7C1&sdata=MLiXSiEXqsja57SfdTIr5CwW4Fvq1svRW7W2saSIM
>> lw%3D&reserved=0).
>> > IF THIS IS SPAM, CLICK HERE TO BLOCK:
>> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdnt.a
>> > bine.com%2F%23%2Fblock_email%2Ffbf1e8c7%40opayq.com%2FFWD-737RBYLMHNMC
>> > SYBCKDUAL6ACTADWAMNBOYSVQK2AKMAGM7BEGAVDAI2OUB3EAABA%40opayq.com&data=
>> > 01%7C01%7CStuart_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d08d51a47434
>> > 1%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=DMD3JTga6nHyD4r686DSmoZ
>> > WQVT3aZaSqw5Mw%2BeI8A4%3D&reserved=0
>> >
>> > Want to shop safely and privately online? Go Premium:
>> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdnt.a
>> > bine.com%2F%3Fpk_campaign%3DmaskHeader%23premium&data=01%7C01%7CStuart
>> > _Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d08d51a474341%7C22d2fb35256a
>> > 459bbcf4dc23d42dc0a4%7C1&sdata=yUsSemg8RE%2B2bP1F17ETqEGbGpSbO7YHa2BTy
>> > eYo3%2FE%3D&reserved=0 -------------------------by
>> > Abine-------------------------
>> >
>> >
>> > _______________________________________________
>> > Enterprise mailing list
>> > [email protected]
>> > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.
>> > mozilla.org%2Flistinfo%2Fenterprise&data=01%7C01%7CStuart_Madsen%40bay
>> > lor.edu%7Ce9a45c04fe524c891a9d08d51a474341%7C22d2fb35256a459bbcf4dc23d
>> > 42dc0a4%7C1&sdata=knCqSgE07JyG3QZ7Ux2p3cCbN7R2e2HdHp3tg8LG6As%3D&reser
>> > ved=0
>> >
>> > To unsubscribe from this list, please visit
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Fmail.mozilla.org%2Flistinfo%2Fenterprise&data=
>> 01%7C01%7CStuart_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d0
>> 8d51a474341%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=knC
>> qSgE07JyG3QZ7Ux2p3cCbN7R2e2HdHp3tg8LG6As%3D&reserved=0 or send an email
>> to [email protected] with a subject of "unsubscribe"
>> >
>>
>>
>> --
>> Do not become so fixated on the cheese at the end of the maze that you
>> forget the real goal is to escape from the lab.
>>
>> Stephen
>> _______________________________________________
>> Enterprise mailing list
>> [email protected]
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Fmail.mozilla.org%2Flistinfo%2Fenterprise&data=
>> 01%7C01%7CStuart_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d0
>> 8d51a474341%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=knC
>> qSgE07JyG3QZ7Ux2p3cCbN7R2e2HdHp3tg8LG6As%3D&reserved=0
>>
>> To unsubscribe from this list, please visit
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%
>> 2F%2Fmail.mozilla.org%2Flistinfo%2Fenterprise&data=
>> 01%7C01%7CStuart_Madsen%40baylor.edu%7Ce9a45c04fe524c891a9d0
>> 8d51a474341%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=knC
>> qSgE07JyG3QZ7Ux2p3cCbN7R2e2HdHp3tg8LG6As%3D&reserved=0 or send an email
>> to [email protected] with a subject of "unsubscribe"
>> _______________________________________________
>> Enterprise mailing list
>> [email protected]
>> https://mail.mozilla.org/listinfo/enterprise
>>
>> To unsubscribe from this list, please visit
>> https://mail.mozilla.org/listinfo/enterprise or send an email to
>> [email protected] with a subject of "unsubscribe"
>>
>
>
> _______________________________________________
> Enterprise mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit https://mail.mozilla.org/
> listinfo/enterprise or send an email to [email protected]
> with a subject of "unsubscribe"
>
_______________________________________________
Enterprise mailing list
[email protected]
https://mail.mozilla.org/listinfo/enterprise
To unsubscribe from this list, please visit
https://mail.mozilla.org/listinfo/enterprise or send an email to
[email protected] with a subject of "unsubscribe"
