info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
As of Firefox 28, Firefox will not fetch CRLs during EV certificate validation
2,999 views
Skip to first unread message
Brian Smith
Dec 13, 2013, 2:48:34 AM12/13/13
to mozilla-dev-s...@lists.mozilla.org
Previously, Firefox would try to use OCSP to check revocation of an EV
certificate, and then fall back to CRLs if there was no OCSP URI in the AIA
extension or if the OCSP fetch failed. In Firefox 28 and later, Firefox
will stop trying to use CRLs. See bug 585122 [1] which is fixed in Firefox
28. Firefox 28 will be released 2014-03-18.
Because Firefox does not fall back from a failed OCSP request to a CRL
request, an unreliable OCSP responder will now be more likely to result in
an EV certificate being displayed as a non-EV certificate. Websites can
avoid this issue, mostly, by supporting OCSP stapling. (I say "mostly"
because it is still an issue for the intermediate certificate). For this
reason, I highly recommend that all EV sites enable OCSP stapling.
Another consequence of this is that certificates that are missing the OCSP
URI in the AIA extension, but which are otherwise valid EV certificates,
will no longer be displayed as EV certificates. Previous versions of
Firefox (27 and before) would display these certificates as EV certificates
if revocation checking via CRL succeeded.
If a website has a certificate without an OCSP AIA URL, but which is
otherwise a valid EV certificate, then the website administrator can get
the EV indicator back by either replacing the certificate with one that
does include an OCSP URI, or by manually configuring OCSP on the server to
use a fixed OCSP URI. In Apache, the option for setting the OCSP responder
URI is SSLStaplingForceURL [2]. I recommend you only use
SSLStaplingForceURL if your certificate does not contain an OCSP URI in the
AIA extension.
If the certificate chain that the CA provided is missing the OCSP URI in
the intermediates' AIA extension(s), then the certificate chain will need
to be replaced with one where all the necessary intermediates have the OCSP
URI in the AIA extension, in order for the EV indicator to be displayed in
Firefox.
For most users, this change marks the end of CRL support in Firefox (at
least in Firefox's default configuration), and we can act as though CRLs no
longer exist. (CRLs can still be imported into Firefox's certificate
database manually with command line tools, for now. However, people should
not expect Firefox to notice CRLs in the CRL database in Firefox 29 or
later.) Note that Firefox has never supported CRL fetching for non-EV
certificates.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=585122
[2] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
certificate, and then fall back to CRLs if there was no OCSP URI in the AIA
extension or if the OCSP fetch failed. In Firefox 28 and later, Firefox
will stop trying to use CRLs. See bug 585122 [1] which is fixed in Firefox
28. Firefox 28 will be released 2014-03-18.
Because Firefox does not fall back from a failed OCSP request to a CRL
request, an unreliable OCSP responder will now be more likely to result in
an EV certificate being displayed as a non-EV certificate. Websites can
avoid this issue, mostly, by supporting OCSP stapling. (I say "mostly"
because it is still an issue for the intermediate certificate). For this
reason, I highly recommend that all EV sites enable OCSP stapling.
Another consequence of this is that certificates that are missing the OCSP
URI in the AIA extension, but which are otherwise valid EV certificates,
will no longer be displayed as EV certificates. Previous versions of
Firefox (27 and before) would display these certificates as EV certificates
if revocation checking via CRL succeeded.
If a website has a certificate without an OCSP AIA URL, but which is
otherwise a valid EV certificate, then the website administrator can get
the EV indicator back by either replacing the certificate with one that
does include an OCSP URI, or by manually configuring OCSP on the server to
use a fixed OCSP URI. In Apache, the option for setting the OCSP responder
URI is SSLStaplingForceURL [2]. I recommend you only use
SSLStaplingForceURL if your certificate does not contain an OCSP URI in the
AIA extension.
If the certificate chain that the CA provided is missing the OCSP URI in
the intermediates' AIA extension(s), then the certificate chain will need
to be replaced with one where all the necessary intermediates have the OCSP
URI in the AIA extension, in order for the EV indicator to be displayed in
Firefox.
For most users, this change marks the end of CRL support in Firefox (at
least in Firefox's default configuration), and we can act as though CRLs no
longer exist. (CRLs can still be imported into Firefox's certificate
database manually with command line tools, for now. However, people should
not expect Firefox to notice CRLs in the CRL database in Firefox 29 or
later.) Note that Firefox has never supported CRL fetching for non-EV
certificates.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=585122
[2] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
fabio.n...@gmail.com
Mar 26, 2014, 2:29:51 PM3/26/14
to
Hi Brian,
I'm developing a Government Website that should be available to any of the main browsers, but our site certificate is not being recognized by Firefox since version 28 (it's OK for IE, Chrome and FF before v.28). To be able to recognize the certificate, our users have to manually import the certificates of all CA's in the chain.
The site is https://homologacao.nfce.fazenda.sp.gov.br
Our certificate was issued by brazilian CA "ICP-Brasil" .
If you log with IE or Chrome you'll be able to download the certificate and check the CA chain.
I think that if the chain could be added to the list of certificates it would solve the problem. We have another website that is certified by Verisign and it works normally (https://nfe.fazenda.sp.gov.br/ConsultaNFe/consulta/publica/ConsultarNFe.aspx)
Could you please help? I'd like to open a proper change request but I don't know how to do that.
Thanks in advance,
Fabio
I'm developing a Government Website that should be available to any of the main browsers, but our site certificate is not being recognized by Firefox since version 28 (it's OK for IE, Chrome and FF before v.28). To be able to recognize the certificate, our users have to manually import the certificates of all CA's in the chain.
The site is https://homologacao.nfce.fazenda.sp.gov.br
Our certificate was issued by brazilian CA "ICP-Brasil" .
If you log with IE or Chrome you'll be able to download the certificate and check the CA chain.
I think that if the chain could be added to the list of certificates it would solve the problem. We have another website that is certified by Verisign and it works normally (https://nfe.fazenda.sp.gov.br/ConsultaNFe/consulta/publica/ConsultarNFe.aspx)
Could you please help? I'd like to open a proper change request but I don't know how to do that.
Thanks in advance,
Fabio
David Keeler
Mar 26, 2014, 2:52:05 PM3/26/14
to dev-secur...@lists.mozilla.org
Accessing https://homologacao.nfce.fazenda.sp.gov.br gives me the same
error with Firefox 27 as with more recent versions. It looks like the
server isn't sending a complete certificate chain. More specifically, a
certificate with common name "Autoridade Certificadora Raiz Brasileira
v2" is necessary. There may be more, if that certificate isn't signed by
a root in Mozilla's root program.
Hope this helps,
David
error with Firefox 27 as with more recent versions. It looks like the
server isn't sending a complete certificate chain. More specifically, a
certificate with common name "Autoridade Certificadora Raiz Brasileira
v2" is necessary. There may be more, if that certificate isn't signed by
a root in Mozilla's root program.
Hope this helps,
David
Chris Hofmann
Mar 26, 2014, 3:34:14 PM3/26/14
to b...@digicert.com, dev-secur...@lists.mozilla.org
Is https://bugzilla.mozilla.org/show_bug.cgi?id=438825 at play here?
-chofmann
On 3/26/14 12:18 PM, Ben Wilson wrote:
> I get the same results using www.digicert.com/help :
>
> Subject AC Secretaria da Receita Federal do Brasil v3
> Valid from 21/Oct/2011 to 21/Oct/2021
> Issuer Autoridade Certificadora Raiz Brasileira v2
>
> The certificate is not signed by a trusted authority (checking against
> Mozilla's root store). If you bought the certificate from a trusted
> authority, you probably just need to install one or more Intermediate
> certificates. Contact your certificate provider for assistance doing this
> for your server platform.
>
>
> -----Original Message-----
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+ben=digice...@lists.mozilla.org] On
> Behalf Of David Keeler
> Sent: Wednesday, March 26, 2014 12:52 PM
> To: dev-secur...@lists.mozilla.org
> Subject: incomplete certificate chain [was Re: As of Firefox 28, Firefox
> will not fetch CRLs during EV certificate validation]
>
> Accessing https://homologacao.nfce.fazenda.sp.gov.br gives me the same error
> with Firefox 27 as with more recent versions. It looks like the server isn't
> sending a complete certificate chain. More specifically, a certificate with
> common name "Autoridade Certificadora Raiz Brasileira v2" is necessary.
> There may be more, if that certificate isn't signed by a root in Mozilla's
> root program.
>
> Hope this helps,
> David
>
> On 03/26/14 11:29, fabio.n...@gmail.com wrote:
>
> -----Original Message-----
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+ben=digice...@lists.mozilla.org] On
> Behalf Of David Keeler
> Sent: Wednesday, March 26, 2014 12:52 PM
> To: dev-secur...@lists.mozilla.org
> Subject: incomplete certificate chain [was Re: As of Firefox 28, Firefox
> will not fetch CRLs during EV certificate validation]
>
> Accessing https://homologacao.nfce.fazenda.sp.gov.br gives me the same error
> with Firefox 27 as with more recent versions. It looks like the server isn't
> sending a complete certificate chain. More specifically, a certificate with
> common name "Autoridade Certificadora Raiz Brasileira v2" is necessary.
> There may be more, if that certificate isn't signed by a root in Mozilla's
> root program.
>
> Hope this helps,
> David
>
> On 03/26/14 11:29, fabio.n...@gmail.com wrote:
>> Hi Brian,
>> I'm developing a Government Website that should be available to any of the
> main browsers, but our site certificate is not being recognized by Firefox
> since version 28 (it's OK for IE, Chrome and FF before v.28). To be able to
> recognize the certificate, our users have to manually import the
> certificates of all CA's in the chain.
>> The site is https://homologacao.nfce.fazenda.sp.gov.br
>>
>> Our certificate was issued by brazilian CA "ICP-Brasil" .
>>
>> If you log with IE or Chrome you'll be able to download the certificate
> and check the CA chain.
>> I think that if the chain could be added to the list of certificates
>> it would solve the problem. We have another website that is certified
>> by Verisign and it works normally
>> (https://nfe.fazenda.sp.gov.br/ConsultaNFe/consulta/publica/ConsultarN
>> Fe.aspx)
>>
>> Could you please help? I'd like to open a proper change request but I
> don't know how to do that.
>> Thanks in advance,
>> Fabio
> _______________________________________________
>> I'm developing a Government Website that should be available to any of the
> main browsers, but our site certificate is not being recognized by Firefox
> since version 28 (it's OK for IE, Chrome and FF before v.28). To be able to
> recognize the certificate, our users have to manually import the
> certificates of all CA's in the chain.
>> The site is https://homologacao.nfce.fazenda.sp.gov.br
>>
>> Our certificate was issued by brazilian CA "ICP-Brasil" .
>>
>> If you log with IE or Chrome you'll be able to download the certificate
> and check the CA chain.
>> I think that if the chain could be added to the list of certificates
>> it would solve the problem. We have another website that is certified
>> by Verisign and it works normally
>> (https://nfe.fazenda.sp.gov.br/ConsultaNFe/consulta/publica/ConsultarN
>> Fe.aspx)
>>
>> Could you please help? I'd like to open a proper change request but I
> don't know how to do that.
>> Thanks in advance,
>> Fabio
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
fabio.n...@gmail.com
Mar 28, 2014, 8:56:09 AM3/28/14
to
Hi David,
you're right.. I probably had installed the root certificate "Autoridade Certificadora Raiz Brasileira v2" when using version 27 for some other task before my tests, and that's caused the test to pass. When I reinstalled 27 after uninstall 28 I could reproduce the error.
Hi Chofmann,
I believe the implementation of https://bugzilla.mozilla.org/show_bug.cgi?id=438825 would solve my problem. I'll monitor this bug and check when solved.
Thanks all!
fabio
you're right.. I probably had installed the root certificate "Autoridade Certificadora Raiz Brasileira v2" when using version 27 for some other task before my tests, and that's caused the test to pass. When I reinstalled 27 after uninstall 28 I could reproduce the error.
Hi Chofmann,
I believe the implementation of https://bugzilla.mozilla.org/show_bug.cgi?id=438825 would solve my problem. I'll monitor this bug and check when solved.
Thanks all!
fabio
0 new messages