Closed
Bug 1316342
Opened 8 years ago
Closed 8 years ago
SEC_ERROR_REVOKED_CERTIFICATE hides details required to debug the problem
Categories
(Core :: Security: PSM, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 943937
People
(Reporter: grin, Unassigned)
References
Details
Nightly started to dislike several certs after update, and let's not play naïve here: they're from StartCom. However one problem is that they still ought to work. Even more problem is that the dialog is criminally silent about the actual problem:
Secure Connection Failed
An error occurred during a connection to ugyfelkapu.tarr.hu. Peer’s Certificate has been Revoked. Error code: SEC_ERROR_REVOKED_CERTIFICATE
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Learn more…
Try Again
1) "Peer’s Certificate" - which one? The host cert, the intermediate or maybe the root? No CN, no serial.
2) It is not possible at that point to actually see what certificate (chain) have the site sent, since at that point the page (dialog) is considered not secure (no certs).
3) There is no information about the specific source of the revocation. Was it OCSP, and if yes, was it cached or retrieved from where? Or was it the super-secret no-information OneCRL*, and how and why and...?
4) "Learn more" link contains no information related, whatsoever; advanced info button doesn't exist, none of the referenced links are relevant (I have clicked them through).
5) Try again button is lovely. ;-)
https://www.ssllabs.com/ssltest/analyze.html?d=ugyfelkapu.tarr.hu
=> Revocation status Good (not revoked)
=> Trusted Yes
That's just an example, several sites observe the same problem.
* as for OneCRL: several blog entries and wiki pages telling me how great it is, how groundbreaking it is, and since sliced bread is ... you got the point. But there is absolutely zero information was found by _extensive_ searching about:
** how to check a cert against OneCRL
** how to check the source and background of any OneCRL revocation (if I suspecting one)
** how to use it if I am not Mozilla, or if I am not supposed to, this fact being mentioned
Severity: major → enhancement
Status: UNCONFIRMED → NEW
Component: Untriaged → Security: PSM
Depends on: 1311995
Ever confirmed: true
OS: Linux → All
Product: Firefox → Core
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Comment 2•8 years ago
|
||
(In reply to Peter Gervai from comment #0)
> * as for OneCRL: several blog entries and wiki pages telling me how great it
> is, how groundbreaking it is, and since sliced bread is ... you got the
> point. But there is absolutely zero information was found by _extensive_
> searching about:
> ** how to check a cert against OneCRL
> ** how to check the source and background of any OneCRL revocation (if I
> suspecting one)
> ** how to use it if I am not Mozilla, or if I am not supposed to, this fact
> being mentioned
These issues are now at least partly fixed; here is:
https://crt.sh/mozilla-onecrl
which shows what's on it, and information about why.
If you want to download it yourself, the URL is:
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records
Gerv
Reporter | ||
Comment 3•8 years ago
|
||
Thanks Gerv.
It would be prudent to type "onecrl" into google, and see whether any of the top results should be updated with this information. (The Wiki page on the top would be my first bet, I don't have an account and I won't unless I opena bug about its email misconfiguration :)).
You need to log in
before you can comment on or make changes to this bug.
Description
•