Thanks Anvar, I went home last night and was able to access ssa.gov just fine with no changes to my system!
Stuart From: Anvar Kuchkartaev [mailto:[email protected]] Sent: Monday, October 23, 2017 1:28 PM To: Madsen, Stuart <[email protected]>; Robert A Vipperman <[email protected]>; [email protected] Subject: Re: [Mozilla Enterprise] OCSP issues with Firefox? It is a problem of remote site (even not ssa.gov). The problem is that ssa.gov's certificate is signed by DigiCert and OCSP server of DigiCert is having troubles right now. You have to wait until they resolve it and meanwhile you might use Chrome or IE, or disable OCSP checking in firefox (which is not recommended for security reasons). https://en.m.wikipedia.org/wiki/Online_Certificate_Status_Protocol Anvar Kuchkartaev [email protected]<mailto:[email protected]> From: Madsen, Stuart Sent: lunes, 23 de octubre de 2017 08:13 p.m. To: Anvar Kuchkartaev; Robert A Vipperman; [email protected]<mailto:[email protected]> Subject: RE: [Mozilla Enterprise] OCSP issues with Firefox? Hi Anvar, I also remembered that I had updated Firefox just in the recent past; so is it possible that the previous release of Firefox would be a workaround? If not, what options do I have: is it my system at home, or is it the www.ssa.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ssa.gov&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C2c611fa40b1b48aa9ee508d51a43d746%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=ETCASQ0RYEZsYwTzNlUaux4pF316hi4ABczF0a5g6ck%3D&reserved=0> site? I am not clear where to start debugging! And how to resolve the issue? Thanks in advance, Stuart From: Anvar Kuchkartaev [mailto:[email protected]] Sent: Monday, October 23, 2017 12:09 PM To: Madsen, Stuart <[email protected]<mailto:[email protected]>>; Robert A Vipperman <[email protected]<mailto:[email protected]>>; [email protected]<mailto:[email protected]> Subject: Re: [Mozilla Enterprise] OCSP issues with Firefox? I just made quick test over the website that you provided (www.ssa.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ssa.gov&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=vyIIZxiabRIjMqqaeGXazjBYWyP1ONEo7WxngHp2IVY%3D&reserved=0>) by manually generating ocsp request to its CA and found that the ocsp server of DigiCert (http://ocsp.digicert.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Focsp.digicert.com&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=eYsp8cU0pzKA5E5K1OZfDiHdDU92VVDPFciVbwq%2FTe8%3D&reserved=0>) having issues. If the website of Robert Vipperman has signed by DigiCert then he might be getting affected from same issue. Command that I invoked from linux: openssl ocsp -issuer chain.pem -cert www.ssa.gov.pem<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ssa.gov.pem&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=C%2BoUNg3FuFe9ArXldM6D5H4UnWEDu9OqvGRwQvpZV%2Fs%3D&reserved=0> -text -url http://ocsp.digicert.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Focsp.digicert.com&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=eYsp8cU0pzKA5E5K1OZfDiHdDU92VVDPFciVbwq%2FTe8%3D&reserved=0> Responce: OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: CF26F518FAC97E8F8CB342E01C2F6A109E8E5F0A Issuer Key Hash: 5168FF90AF0207753CCCD9656462A212B859723B Serial Number: 05A95C0D34A831F37F8A5F729CC23C74 Request Extensions: OCSP Nonce: 04103413E42BB3E68482E3A4B42241408E52 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 5168FF90AF0207753CCCD9656462A212B859723B Produced At: Oct 23 14:04:14 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: CF26F518FAC97E8F8CB342E01C2F6A109E8E5F0A Issuer Key Hash: 5168FF90AF0207753CCCD9656462A212B859723B Serial Number: 05A95C0D34A831F37F8A5F729CC23C74 Cert Status: good This Update: Oct 23 14:04:14 2017 GMT Next Update: Oct 30 13:19:14 2017 GMT Signature Algorithm: sha256WithRSAEncryption 9f:71:8d:af:c5:94:39:7f:cd:cb:2b:5b:09:4b:4d:53:83:af: 1b:31:5e:9a:f7:88:b4:5f:87:a8:98:a8:8b:c8:7e:37:ec:88: 41:be:2d:89:5b:30:c6:f7:4b:93:70:2b:8f:fe:6e:17:87:ba: a7:e3:e1:4d:ac:b1:75:26:aa:1a:ad:6c:55:99:15:1d:5f:fe: 54:b2:2c:72:d3:27:46:76:37:f0:1b:b6:c3:2f:81:c9:57:1d: 71:62:b8:ed:ae:18:32:0d:3b:a6:0b:93:59:e5:dc:ab:9b:be: a2:1f:08:c3:dd:1e:26:ec:0b:30:0d:f6:0c:d2:05:34:05:8b: b2:79:12:52:5e:73:fb:13:ce:34:b0:c6:d4:5e:da:e4:ca:0c: 3a:1e:ab:44:b4:80:bc:f0:1f:49:c8:df:14:05:47:89:de:6f: 54:e6:c2:80:b4:e6:e3:db:74:84:2a:57:17:88:88:8d:dd:55: f8:55:21:1b:b4:cf:bc:c7:76:5c:23:99:c3:16:d5:f0:fd:2d: c9:e1:f9:07:e7:72:f1:38:74:b8:bc:ad:10:fc:a4:e3:c4:73: e7:6a:38:9f:c0:3d:f8:e0:21:d4:ae:61:aa:8f:fd:f8:23:31: 84:7f:cc:07:22:73:da:83:2c:dc:f9:a3:14:db:58:ae:1d:e5: 82:b9:c0:d1 WARNING: no nonce in response Response Verify Failure 139890693134240:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92: www.ssa.gov.pem<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ssa.gov.pem&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=C%2BoUNg3FuFe9ArXldM6D5H4UnWEDu9OqvGRwQvpZV%2Fs%3D&reserved=0>: good This Update: Oct 23 14:04:14 2017 GMT Next Update: Oct 30 13:19:14 2017 GMT On 23/10/17 18:49, Madsen, Stuart wrote: Yes, My name is Stuart Madsen; I was trying to access the www.ssa.gov<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ssa.gov&data=01%7C01%7CStuart_Madsen%40baylor.edu%7C1c9b7facdbf9481f732f08d51a38b9d8%7C22d2fb35256a459bbcf4dc23d42dc0a4%7C1&sdata=vyIIZxiabRIjMqqaeGXazjBYWyP1ONEo7WxngHp2IVY%3D&reserved=0>, starting yesterday from my home network, I began getting the same error message! I had no trouble about a three weeks ago or so. I can’t honestly remember to be sure when I accessed the site but I had no trouble then!!! I attempted to access the web site yesterday after having upgraded to the latest java update. I will have to check when I get home what version I upgraded to, and try to re-install the previous Java release, and see if that makes a difference! Stuart Madsen [email protected]<mailto:[email protected]> 254-715-2268 (cell) From: Enterprise [mailto:[email protected]] On Behalf Of Anvar Kuchkartaev Sent: Monday, October 23, 2017 11:05 AM To: Robert A Vipperman <[email protected]><mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: [Mozilla Enterprise] OCSP issues with Firefox? It is a very strange issue. Chrome and IE might be using ocsp from its cache. Have you tried to connect to that websites from another network? Anvar Kuchkartaev [email protected]<mailto:[email protected]> From: Robert A Vipperman Sent: martes, 17 de octubre de 2017 01:58 p.m. To: [email protected]<mailto:[email protected]> Subject: [Mozilla Enterprise] OCSP issues with Firefox? All, We started having issues in the last few days with certain internal https sites giving the error below. Has anyone else experienced this issue? These sites load with no issues in IE and Chrome. Secure Connection Failed An error occurred during a connection to xxx.xxx.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. _________________________ Robert Vipperman Dominion Resource Services, Inc. [email protected]<mailto:[email protected]> _________________________ ________________________________ CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
