Previously, Firefox would try to use OCSP to check revocation of an EV
certificate, and then fall back to CRLs if there was no OCSP URI in the AIA
extension or if the OCSP fetch failed. In Firefox 28 and later, Firefox
will stop trying to use CRLs. See bug 585122 [1] which is fixed in Firefox
28. Firefox 28 will be released 2014-03-18.
Because Firefox does not fall back from a failed OCSP request to a CRL
request, an unreliable OCSP responder will now be more likely to result in
an EV certificate being displayed as a non-EV certificate. Websites can
avoid this issue, mostly, by supporting OCSP stapling. (I say "mostly"
because it is still an issue for the intermediate certificate). For this
reason, I highly recommend that all EV sites enable OCSP stapling.
Another consequence of this is that certificates that are missing the OCSP
URI in the AIA extension, but which are otherwise valid EV certificates,
will no longer be displayed as EV certificates. Previous versions of
Firefox (27 and before) would display these certificates as EV certificates
if revocation checking via CRL succeeded.
If a website has a certificate without an OCSP AIA URL, but which is
otherwise a valid EV certificate, then the website administrator can get
the EV indicator back by either replacing the certificate with one that
does include an OCSP URI, or by manually configuring OCSP on the server to
use a fixed OCSP URI. In Apache, the option for setting the OCSP responder
URI is SSLStaplingForceURL [2]. I recommend you only use
SSLStaplingForceURL if your certificate does not contain an OCSP URI in the
AIA extension.
If the certificate chain that the CA provided is missing the OCSP URI in
the intermediates' AIA extension(s), then the certificate chain will need
to be replaced with one where all the necessary intermediates have the OCSP
URI in the AIA extension, in order for the EV indicator to be displayed in
Firefox.
For most users, this change marks the end of CRL support in Firefox (at
least in Firefox's default configuration), and we can act as though CRLs no
longer exist. (CRLs can still be imported into Firefox's certificate
database manually with command line tools, for now. However, people should
not expect Firefox to notice CRLs in the CRL database in Firefox 29 or
later.) Note that Firefox has never supported CRL fetching for non-EV
certificates.
[1]
https://bugzilla.mozilla.org/show_bug.cgi?id=585122
[2]
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstaplingforceurl
Cheers,
Brian
--
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)