Invalid OCSP signing certificate in OCSP response

[David E. Ross]

I am getting a number of failures to reach Web sites. The error message
says:

An error occurred during a connection to [some domain].
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)


--
David E. Ross

I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
<https://bugzilla.mozilla.org/show_bug.cgi?id=433238>.

[David Keeler]

Please file a new bug here:
https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM

To debug the issue, it would be helpful to have packet captures of the
failing TLS handshakes and any related OCSP requests. This can be done
with tcpdump or wireshark - let me know if you want more details on
that. At the very least, knowing what domains are failing would be useful.

Thanks!

[Ondrej Mikle]

On 06/28/2015 04:08 PM, David E. Ross wrote:
> I am getting a number of failures to reach Web sites. The error message
> says:
>
> An error occurred during a connection to [some domain].
> Invalid OCSP signing certificate in OCSP response.
> (Error code: sec_error_ocsp_invalid_signing_cert)

The common causes for this were bad clock or expired signing certificate
for the OCSP response. Firefox used to have another
requirement/restricting the responder's certificate chain (something
like site's issuing CA cert had to match responder's CA cert, but I
can't find the correct bugzilla entry now, there's too many of them for
sec_error_ocsp_invalid_signing_cert).

I'd check OCSP responses the sites in question with openssl first if it
finds an error or not.

Ondrej

[Gordon Young]

The test client class in Mozilla's NSS has been helpfull for me as well:
http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_2_1_RTM/src/nss-3.2.1/mozilla/security/nss/cmd/tstclnt/tstclnt.c

I had used tstclnt when on-boarding a CA into the mozilla program in the
past.


Thanks,
~Gordon

On Mon, Jun 29, 2015 at 9:51 AM, David Keeler <dke...@mozilla.com> wrote:

> Please file a new bug here:
>
> https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM
>
> To debug the issue, it would be helpful to have packet captures of the
> failing TLS handshakes and any related OCSP requests. This can be done
> with tcpdump or wireshark - let me know if you want more details on
> that. At the very least, knowing what domains are failing would be useful.
>
> Thanks!
>

> On 06/28/2015 07:08 AM, David E. Ross wrote:
> > I am getting a number of failures to reach Web sites. The error message
> > says:
> >
> > An error occurred during a connection to [some domain].
> > Invalid OCSP signing certificate in OCSP response.
> > (Error code: sec_error_ocsp_invalid_signing_cert)
> >
> >
>
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>

[Gordon Young]

sorry, not the freshest version of NSS, old version in fact.

Latest can be obtained here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

This sample client application does TLS from the context of the NSS
libraries, you could possibly debug the OCSP response with this code.

~Gordon

[Franck Leroy]

Hello

Does your ocsp response contains the nextUpdate field?

Franck