John Wallace writes: > Using Firefox 27.0 (aka Aurora) with the latest and greatest Https-Everywhere > in Linux (aka, Hardened-Gentoo), I tried visiting this page: > > https://wiki.gentoo.org/wiki/Xorg/Hardware_3D_acceleration_guide > > ...but it failed with this error: > > Secure Connection Failed > An error occurred during a connection to wiki.gentoo.org. > The OCSP response is not yet valid (contains a date in the future). > Error code: sec_error_ocsp_future_response > * the page you are trying to vie cannot be shown because the authenticity > of the received data could not be verified....(etc ..)
Hi John, Can you check whether the clock on your computer is set accurately? OCSP is a mechanism to let browsers check whether digital certificates are still valid. (It stands for Online Certificate Status Protocol.) This allows certificate authorities to revoke certificates that are still being used in the wild, if, for example, the private key is known to be stolen. (Without a way for someone other than the site to revoke the certificate, the legitimate site might stop using the old certificate after the key was stolen, but whoever stole the key might put up a fake site that continues using the old certificate to reassure browsers that the stolen key is valid!) OCSP is only applicable to HTTPS because HTTP doesn't use digital certificates at all. So when you access the site insecurely over HTTP, OCSP doesn't enter into the picture at all. However, switching to HTTP to get rid of the error feels to me like throwing the baby out with the bathwater. OCSP is there to make HTTPS connections safer, but HTTP connections are inherently less safe than HTTPS connections because HTTP connections don't use any cryptographic means for ensuring confidentiality or authenticity. It's not easy to imagine a way that this problem could be caused by the Gentoo site itself, because the OCSP response is sent by the certificate authority, not by Gentoo. It's most likely either a problem with the clock on your computer or with the certificate authority that Gentoo uses (apparently DigiCert). An alternative possibility is that you could be accessing the Internet from behind a firewall that blocks or tampers with OCSP replies for some reason. If your computer's clock turns out to be accurate, maybe you can send us a copy of the certificate that you're receiving for the site (via Tools / Page Info / Security / View Certificate / Details / Export...) and also consider reporting the problem to Gentoo's web team. Thanks. -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
