Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Funkcionalnosć tutoho sydła so přez wothladowanske dźěła wobmjezuje, kotrež maja waše dožiwjenje polěpšić. Jeli nastawk waš problem njerozrisuje a chceće prašenje stajić, wobroćće so na naše zhromodźenstwo pomocy, kotrež na to čaka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomhać.

Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

r.e. security.ssl.enable_ocsp_stapling

more options

Hi On a couple of occasions I have been unable to get to a particular website. I can’t recall what the previous problem websites were and those problems were corrected within a couple of days, but the latest (todays) problem is with Amazon.

Here is the error message I received: An error occurred during a connection to www.amazon.de. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT

My google searches reveal the following solution (which works for me) from https://support.mozilla.org/en-US/questions/1161980 : You can temporarily disable OCSP Stapling : Type in the address bar about:config (press Enter) (promise to be careful, if asked) Type and look for the preference : security.ssl.enable_ocsp_stapling and set it's value to false It is best to reset this pref via the right-click context menu to true once you are done with this website.

My question is what does security.ssl.enable_ocsp_stapling do and why do I need to disable it to get some something like Amazon to work?

Thanks

Hi On a couple of occasions I have been unable to get to a particular website. I can’t recall what the previous problem websites were and those problems were corrected within a couple of days, but the latest (todays) problem is with Amazon. Here is the error message I received: An error occurred during a connection to www.amazon.de. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT My google searches reveal the following solution (which works for me) from https://support.mozilla.org/en-US/questions/1161980 : You can temporarily disable OCSP Stapling : Type in the address bar about:config (press Enter) (promise to be careful, if asked) Type and look for the preference : security.ssl.enable_ocsp_stapling and set it's value to false It is best to reset this pref via the right-click context menu to true once you are done with this website. My question is what does security.ssl.enable_ocsp_stapling do and why do I need to disable it to get some something like Amazon to work? Thanks

Wubrane rozrisanje

OCSP is a method to check whether a site's SSL certificate has been revoked by its issuer. "Stapling" is a method for the site to deliver proof of validity along with its own certificate. This improves privacy for the user because you don't need to reveal to a third party (the issuer) that you need to know about the site you're trying to use.

As for what suddenly went wrong, I don't know. Starting about 5 hours ago, users have been reporting OCSP errors on various sites that use the Akamai Content Distribution Network:


(You already know this part)

As a temporary workaround, you can disable OCSP stapling. With that change, instead of Firefox expecting sites to provide an OCSP certificate -- a verification that its certificate has not been revoked -- Firefox will query the service provider that signed the certificate. This is good for security but not the best arrangement for privacy, because the service provider knows a computer at your IP address is checking out that site. So after you finish using the site, you can switch the setting back.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false

Success?

Tutu wotmołwu w konteksće čitać 👍 1

Wšě wotmołwy (3)

more options

Wubrane rozrisanje

OCSP is a method to check whether a site's SSL certificate has been revoked by its issuer. "Stapling" is a method for the site to deliver proof of validity along with its own certificate. This improves privacy for the user because you don't need to reveal to a third party (the issuer) that you need to know about the site you're trying to use.

As for what suddenly went wrong, I don't know. Starting about 5 hours ago, users have been reporting OCSP errors on various sites that use the Akamai Content Distribution Network:


(You already know this part)

As a temporary workaround, you can disable OCSP stapling. With that change, instead of Firefox expecting sites to provide an OCSP certificate -- a verification that its certificate has not been revoked -- Firefox will query the service provider that signed the certificate. This is good for security but not the best arrangement for privacy, because the service provider knows a computer at your IP address is checking out that site. So after you finish using the site, you can switch the setting back.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch the value from true to false

Success?

Wot jscher2000 - Support Volunteer změnjeny

more options

Hi Thanks for the reply, the solution works... I just have to remember to switch security.ssl.enable_ocsp_stapling back to True when I have finished. One further thought; I don’t know if it is possible to change the title of this thread, but I think that if others are searching for an answer then my title wouldn’t be helpful (or discovered).

Thanks.

more options

bobsone said

One further thought; I don’t know if it is possible to change the title of this thread, but I think that if others are searching for an answer then my title wouldn’t be helpful (or discovered).

Eight hours have passed and the site seems to be working again, so you probably do not need to mention Amazon DE specifically. The title may be useful to anyone else with a question about that preference.