[Mozilla Enterprise] security.OCSP.require - Breaks Many Sites
Eddie Rowe
eddie.rowe at tdhca.state.tx.us
Thu Feb 27 21:53:57 UTC 2020
Yes, I am following the guidance of a security baseline and setting this to true. I guess I was thinking that OCSP stapling support would be broad enough by now that we should not have issues. I think we are left with no option but to turn this feature off. I was hoping I had overlooked something and I do appreciate the response!
From: Enterprise <enterprise-bounces at mozilla.org> On Behalf Of Osdoba, Sascha
Sent: Thursday, February 27, 2020 3:57 AM
To: enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites
Hi,
Mike Kaply answered my question to OCSP setting before so I guess you should not use it.
12. November 2019 17:37
Re: [Mozilla Enterprise] security.OCSP.require
FYI, on discussion with my team, there are lots of problems with OCSP. I assume you're setting it to true?
It can cause mysterious failures and very long delays loading web pages.
Mike
Regards,
Sascha
Von: Enterprise <enterprise-bounces at mozilla.org<mailto:enterprise-bounces at mozilla.org>> Im Auftrag von Eddie Rowe
Gesendet: Mittwoch, 19. Februar 2020 00:18
An: enterprise at mozilla.org<mailto:enterprise at mozilla.org>
Betreff: [Mozilla Enterprise] security.OCSP.require - Breaks Many Sites
// 4.6 (L2) Set OCSP Response Policy
defaultPref("security.OCSP.require", true);
I have enabled this setting in ESR 68.4 x64 and many sites such as Google and even Mozilla just do not work. I don't see how this could be adopted at a company level without created chaos. Are there persons still using this setting? Have you adjusted other settings to help out Firefox?
Example site that does not work with this setting set to true:
https://support.mozilla.org/en-US/questions/1169855<https://urldefense.proofpoint.com/v2/url?u=https-3A__support.mozilla.org_en-2DUS_questions_1169855&d=DwMFAg&c=2WwxlqHD_9GeHFEUsOHZXg&r=a0pF-r4VjZCyzB4zxbRDcONPyw-KRRoDiBPd4lDRky8&m=HvCIg11cKsHElgSv7Tq5xco03Qz-qJllEkm-EhS5N0Q&s=Dl4cI7nyOUmEIpqLsZbWhzXdEhPWuOw4xZxDooL0aAg&e=>
Error:
"Secure Connection Failed
An error occurred during a connection to support.mozilla.org. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20200227/fbe7d8f8/attachment.html>
More information about the Enterprise
mailing list