Hey, > My calendars locked again yesterday. The trick of changing their > readonly and disabled status via the configuration editor and then > restarting Thunderbird once again fixed them. This time I was able > to copy the errors from the Thunderbird log (attached) and match > them to Apache errors on my SOGo server caused by the StartCom OCSP > server being off-line once more. There is a bug in Lightning[0] for which a patch exists[1] and a nightly build is available[2] (without localization and all that). The Mozilla Lightning team will roll out an updated Lightning version real soon now or in two weeks -- depending on whom you ask. (And I have no idea if this will be v4.0.2.1 or v4.0.3). There also is a bug entry[3] in SOGo's bug tracker providing that information. So either use the nightly build or manually patch your version of Lightning and roll it out via your update mechanism or locally patch the source (luckily there are just javascript files to patch) of the installed plugin.
> Hunting through Thunderbird I have now found in Preferences -> > Advanced -> Certificates that there is a "Query OCSP responder > servers to confirm the current validity of certificates" setting. It > is enabled on my installation and I am going to disable it to see if > it helps. As OCSP stapling on my Apache (SOGo) server should do > this verification, my belief is that having the client do it too is > redundant. Certainly Google have retired this feature from their > Chrome browser, so they clearly don't see the value. The problem itself has nothing to do with OCSP but with a race when initializing and establishing a connection. To fix the trouble with OCSP you definitely want to use and configure OCSP stapling on the web server side. OCSP stapling does *not* validate the certificate on the server side (which would be utterly useless) but caches a valid OCSP response for some time and sends it to the client to streamline the process of certificate validation. An OCSP response is signed by the OCSP server and has -- as with all SSL certs -- a certain validity time span within which it is considered to be valid. Validation itself still has to be done by the client. Common sources of trouble with OCSP can be: * time drift on the client (system clock off more than some hours) * OCSP stapling not configured * OCSP stapling configuration wrong: - Apache has no OCSP responder configured (no AIA extension in certificate); so you could try to set one with SSLStaplingForceURL - cache time too long/short (try to find out how long an OCSP response is valid at your favorite snakeoil seller) Anyways, there are many tutorials[4] out there helping with correctly setting that up. -- Adi [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1195974 [1] https://hg.mozilla.org/releases/comm-esr38/rev/839f27cac475 [2] https://ftp.mozilla.org/pub/mozilla.org/calendar/lightning/tinderbox-builds/ [3] http://www.sogo.nu/bugs/view.php?id=3325 [4] https://raymii.org/s/tutorials/OCSP_Stapling_on_Apache2.html -- users@sogo.nu https://inverse.ca/sogo/lists