Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP error on https://www.ssllabs.com #920

Open
annubiz opened this issue Mar 6, 2023 · 3 comments
Open

OCSP error on https://www.ssllabs.com #920

annubiz opened this issue Mar 6, 2023 · 3 comments

Comments

@annubiz
Copy link

annubiz commented Mar 6, 2023

I went to https://www.ssllabs.com today to test another site. I got an OCSP error trying to hit https://www.ssllabs.com.
I always have security.OCSP.enabled set to 1(true) in my browser and security.OCSP.require set to true.

After I turned security.OCSP.require set to false I could hit your site. I did a little digging to find the root cause.
Your certificate was issued by DigiCert and the OSCP enpoint in the cert they issued to you is http://ocsp.digicert.com/.
If you do an ssl server test on ocsp.digicert.com, your report :
https://www.ssllabs.com/ssltest/analyze.html?d=ocsp.digicert.com

says that DigiCert's own ocsp endpoint's certificate has a hostname mismatch.
Last month the certificate was expired. Now they issued a new one that has :
Alternative names | digicert.edgecastcdn.net cacerts.digicert.com dl.cacerts.digicert.com vmc.digicert.com   MISMATCH

The clowns at DigiCert /ignored/ my direct request(for months) to them to fix thier expired cert. I kept running into many of their customers sites that I could not connect to without disableding OCSP validation checks. It appears that they /finally/ issued a new cert, but they did such an amateur job, that their OCSP validation /still/ wont work. I mean..its not like its their job to issue certs and should know how to do their #1 primary function..... OH it IS their job ! What a bunch of clowns.

YOU are a customer of theirs, you use their certs. Can you PLEASE contact digicert enterprise help desk and kindly point out thier error, and ask them to fix it ? please ?

I cant connect to any of their customers sites, without disabling OCSP validation...which violates cyber hygene 101.

Thank you for your time.
@smuda
Copy link

smuda commented Mar 9, 2023

OCSP is normally http-only, for good reasons. All the Digicert certificates I looked at points to http://ocsp.digicert.com and you even wrote http in your message, not https.

You don't need SSL/TLS for a protocol where the payload is signed and there is no privacy requirements.

@annubiz
Copy link
Author

annubiz commented Mar 9, 2023 via email

@smuda
Copy link

smuda commented Mar 12, 2023

In your first post you complained that Digicert does not provide OCSP over https.

I'm not arguing that OCSP is a bad thing, I'm just telling you that the OCSP protocol does not need SSL/TLS because there are other security mechanisms in place. Publishing OCSP servers has historically always been over http. Just think about what happens if you require OCSP and the TLS certificate from Digicert (if there would have been such a certificate) points to the same site for OCSP. You would end up in an endless loop. Digicert is following best practices when publishing their OCSP server over plain http.

The problem you're seeing is likely something else than requiring OCSP. Perhaps you have enabled some other browser configuration (or plugin) that redirects all http traffic to https.

@naumanshah03 naumanshah03 reopened this Mar 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@smuda @annubiz @naumanshah03