Erik van Straten

Feature request: ssllabs.com could report erroneous OCSP stapling info

Discussion created by Erik van Straten on Aug 24, 2014
Latest reply on Sep 5, 2014 by Ivan Ristić

Hello Readers,

 

First a big thank you to Qualys for providing the ssllabs service! It helps a lot making the internet a safer place.

 

Fashion website https://www.bandolera.com/ gets an A score, but fails to open in Firefox 31.0 with an OCSP error.

 

The reason for this OCSP error in Firefox is that Bandolera includes obsolete OCSP stapling information, and the recent Mozilla switch to "mozilla::pkix" apparently skips an online OCSP check. The OCSP stapling data currently returned by bandolera.com is time-stamped 2014-02-18 09:22:32 (UTC), while a OCSP validating certificate is included that is valid upto 2014-04-06 23:59:59 (UTC).

 

Note: the site opens without errors in Firefox by configuring one of the about:config settings 'security.ssl.enable_ocsp_stapling=false' or 'security.use_mozillapkix_verification=false' (returning Firefox to the old behavior).

 

Although I expect that it will be a lot of work, it would be nice if ssllabs.com could provide information on correctly/misconfigured OCSP stapling!

 

Best regards,

Erik van Straten

 

PS I did not find the issue with Bandolera myself, it was reported by a user "Serleena" (in Dutch) at Nieuwe certificaatcontrole aan Mozilla Firefox toegevoegd - Security.NL.

Outcomes