You are not logged in.
- Topics: Active | Unanswered
#1 2011-04-19 21:48:18
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
archlinux.org "The OCSP server returned unexpected/invalid HTTP data."
With "validate a certificate if it specifies an OCSP server" turned on in Firefox (4.0-1), sometimes navigating to https://bbs.archlinux.org and https://wiki.archlinux.org fails with:
An error occurred during a connection to bbs.archlinux.org.
The OCSP server returned unexpected/invalid HTTP data.
(Error code: sec_error_ocsp_bad_http_response)If I restart the browser and then open the urls again the page gives no errors, though I'm not sure if this is always the case or mostly. I never get this error with other sites, and have not tried with other browsers.
Last edited by rwd (2011-04-20 06:36:38)
Offline
#2 2011-04-19 23:24:53
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: archlinux.org "The OCSP server returned unexpected/invalid HTTP data."
That is indeed odd.
That error code (google lookup) seems to imply that StartCom's (archlinux ssl certificate provider) ocsp server was either offline or returned a garbage response. I just did a manual test (very arcane syntax) and it seemed to respond fine (i got the 'good' message). However, the response was not 'verified', so maybe that is why firefox pukes?
A bad response (not verified) in conjunction with 'when an ocsp connection fails, treat it as invalid' option being set might show the error.
I have that option unset by default in firefox, it seems. Did you enable that option?
Not sure what is up with the startcom ocsp server, or if perhaps my command line test was somehow incorrect. I did try it against another server (github.com) and the result for that _was_ verified ok.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#3 2011-04-20 06:34:24
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: archlinux.org "The OCSP server returned unexpected/invalid HTTP data."
I have that option unset by default in firefox, it seems. Did you enable that option?.
Yes I enabled that option, it is not the default. The reason I enabled it was the problems with Certtificate Authority issuing fraudulent certificates that were in the news lately.
Last edited by rwd (2011-04-20 06:34:49)
Offline
#4 2011-04-20 07:39:31
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: archlinux.org "The OCSP server returned unexpected/invalid HTTP data."
Yeah. Having ocsp enabled by default (which firefox does, as well as chrome I think) is indeed good.
I never actually noticed that other option that you set but that isn't the default, until I went poking around today.
I wonder if the startcom response that isn't verified (yet says the cert is ok) is what is causing you the problem then.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline