Nelson B Bolyard wrote: > Kaspar Brand wrote, On 2008-10-18 00:18: >> Nelson B Bolyard wrote: > >>> Yes. Bad response, ugly errors, no fun. >> With the default settings in Firefox 3, it isn't that bad... remember >> that it's the "graceful failure" mode which is selected by default: >> > > Don't forget the OCSP checks done in cert manager, and the effect of > failed OCSP checks on the behavior of cert manager.
With Firefox 3, cert manager no longer validates certs (the "Purposes" column was removed). In cert viewer, OCSP failures might indeed be an issue, correct. However, importing the "Microsec e-Szigno Root CA" from http://srv.e-szigno.hu/menu/RootCA.crt, enabling trust for SSL and then navigating to https://arca.e-szigno.hu works quite well with the default validation settings in Firefox 3 - cert viewer will even say that the cert has been verified for use as an "SSL Server Certificate". Enabling "hard failure" mode for OCSP and then visiting https://arca.e-szigno.hu/ is no fun, admittedly... but the error message is somewhat misleading (SEC_ERROR_OCSP_MALFORMED_REQUEST, "The OCSP server found the request to be corrupted or improperly formed", should better be SEC_ERROR_CERT_BAD_ACCESS_LOCATION [1]). Kaspar [1] see http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/ocsp.c&rev=1.55&mark=3267#3267 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto