Closed
Bug 1683547
Opened 4 years ago
Closed 4 years ago
CRLite reports not-revoked certificate as revoked
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 1683525
People
(Reporter: kristian, Unassigned)
Details
Hi
Visiting https://www.hetzner.com/ from Firefox Nightly fails with SEC_ERROR_REVOKED_CERTIFICATE. Neither sslabs.com nor crt.sh reports the certificate as revoked.
Changing security.pki.crlite_mode from 2 to 0 makes it possible to visit the site.
Log (certverifier:5):
[Parent 486636: Main Thread]: I/Logger Flushing old log files
[Parent 486636: SSL Cert #14]: D/certverifier Top of VerifyCert
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier OCSPCache::Get(0x7f963f05ef90,"") not in cache
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: CRLite check returned state=1 filter timestamp=1608314852
[Parent 486636: SSL Cert #14]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: certificate revoked via CRLite
Version:
Name: Firefox
Version: 86.0a1
Build ID: 20201220093524
Distribution ID:
Update Channel: nightly
|
||
Updated•4 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•