Am 03.10.2015 um 11:16 schrieb Kaspar Brand:
On 01.10.2015 16:32, Reindl Harald wrote:Am 01.10.2015 um 16:29 schrieb Plüm, Rüdiger, Vodafone Group:The question is: What happens on Firefox side. Of course it still tries to get to the OCSP server, but it should not cause an error on Firefox side if this does not work.no, it does not because "security.OCSP.enabled = 0" and i saw at least two requests to different servers failing with my Firefox with the responder error from the webserverWhat do you have security.OCSP.require set to? If it's "true" (a setting no longer configurable through the UI, BTW, see https://bugzilla.mozilla.org/show_bug.cgi?id=1034360), then Firefox shows a fairly peculiar behavior: even when OCSP checking is disabled (by setting security.OCSP.enabled to "0", through the "Query OCSP responder servers to confirm the current validity of certificates" preference in the UI under Advanced -> Certificates), it still includes a status_request extension in the TLS handshake, and will subsequently fail when it receives a stapled tryLater OCSP response, as long as security.OCSP.require=true
security.OCSP.require=false is the default but it's not only my client with random failed connections[Sat Oct 03 00:15:01.478741 2015] [ssl:error] [pid 27458] (104)Connection reset by peer: [client 81.223.20.5:59844] AH01977: failed reading line from OCSP server [Sat Oct 03 00:45:01.618792 2015] [ssl:error] [pid 4965] (104)Connection reset by peer: [client 81.223.20.5:33566] AH01977: failed reading line from OCSP server [Sat Oct 03 01:15:01.589643 2015] [ssl:error] [pid 5599] (104)Connection reset by peer: [client 81.223.20.5:36218] AH01977: failed reading line from OCSP server [Sat Oct 03 01:45:01.816132 2015] [ssl:error] [pid 4965] (104)Connection reset by peer: [client 81.223.20.5:38762] AH01977: failed reading line from OCSP server [Sat Oct 03 02:15:01.187187 2015] [ssl:error] [pid 14361] (104)Connection reset by peer: [client 81.223.20.5:41043] AH01977: failed reading line from OCSP server [Sat Oct 03 02:45:01.292205 2015] [ssl:error] [pid 14366] (104)Connection reset by peer: [client 81.223.20.5:42999] AH01977: failed reading line from OCSP server [Sat Oct 03 03:15:01.353077 2015] [ssl:error] [pid 14364] (104)Connection reset by peer: [client 81.223.20.5:45180] AH01977: failed reading line from OCSP server [Sat Oct 03 03:45:01.428090 2015] [ssl:error] [pid 14364] (104)Connection reset by peer: [client 81.223.20.5:46857] AH01977: failed reading line from OCSP server [Sat Oct 03 04:15:02.019261 2015] [ssl:error] [pid 26399] (104)Connection reset by peer: [client 81.223.20.5:49007] AH01977: failed reading line from OCSP server
signature.asc
Description: OpenPGP digital signature