Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Avatar for Username

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

Tuta nitka je so archiwowała. Prošu stajće nowe prašenje, jeli pomoc trjebaće.

The OCSP response contains out-of-date information...

  • 4 wotmołwy
  • 23 ma tutón problem
  • 4 napohlady
  • Poslednja wotmołwa wot queryingquail

queryingquail
queryingquail
more options

Our Mozilla based clients are getting the following responses when browsing to a myriad of sites: The OCSP response contains out-of-date information. Error code: SEC_ERROR_OCSP_OLD_RESPONSE

In looking at the session, it appears that the OCSP response in question is a stapled one which is NOT out of date. Turning off the security.ssl.enable_ocsp_stapling setting (set to false) in the about:config for Thunderbird and for FF works to solve this. However, we have no idea why the error is happening based on what we see from ocsp and the session. This _seems_ like a bug.

This started happening within the past few days. Prior to that, there was no issue like this seen. We've used OCSP for about 6 years, and there's nothing new for the CAs we use during the problem window.

I'd like to know what the trigger for this error is: if we can find the actual value being flagged as old. Again, in the capture of the session, the response is still valid for several more days.

Thanks much,

QQ

Our Mozilla based clients are getting the following responses when browsing to a myriad of sites: The OCSP response contains out-of-date information. Error code: SEC_ERROR_OCSP_OLD_RESPONSE In looking at the session, it appears that the OCSP response in question is a stapled one which is NOT out of date. Turning off the security.ssl.enable_ocsp_stapling setting (set to false) in the about:config for Thunderbird and for FF works to solve this. However, we have no idea why the error is happening based on what we see from ocsp and the session. This _seems_ like a bug. This started happening within the past few days. Prior to that, there was no issue like this seen. We've used OCSP for about 6 years, and there's nothing new for the CAs we use during the problem window. I'd like to know what the trigger for this error is: if we can find the actual value being flagged as old. Again, in the capture of the session, the response is still valid for several more days. Thanks much, QQ

Wšě wotmołwy (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

You can check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.

queryingquail
queryingquail Prašer
more options

Thank you for the reply. We've validated the time stamps on the clients, the servers, and the ocsp systems. That is not, seemingly, the problem.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Can you replicate this problem with Firefox?

Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?

queryingquail
queryingquail Prašer
more options

Presently the only things that we've seen this on are corporate URLs. We don't have anything publicly accessible unfortunately. I recognize this limits the ability to validate.

Essentially, all I can offer is that for a Server Hello frame where ocsp stapling is enabled in the browser, the stapled response (which looks good and valid) seems to be causing this error. When we disable ocsp stapling in about:config (just the one true/false setting), the Server Hello frame no longer includes the stapled response and the connection continues.

In both cases, the client is performing other ocsp validations on the certs during the session (so stapling _really_ is doing nothing but breaking things for us here). But the responses for the individual ocsp requests have the same time frames for validity (thisUpdate, nextUpdate, nextPublish).