User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040210 Firefox/0.8 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040210 Firefox/0.8 I get Error codes -5961 and the sites are refusing the work. I use "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)" and Firefox v0.8 I also tried with Firefox 0.9.3 and also with Mozilla 1.7.2 The same bug is still there. The bug seems to trigger if proxies are used. I use autoproxy script (autoproxy.pac), which tries to forward most of the connections through a proxy which uses different tcp port than 80. Outgoing traffic to port 80/tcp is blocked by a firewall. Also manual proxy configuration causes the same problem with OCSP. When proxies are used and I have OCSP validation enabled, and I try to connect to some HTTPS-site, the Firefox/Mozilla do not use somehow the proxies I have in settings. Instead it tries to open a direct TCP connection for OCSP bypassing the proxy, so firewall reports something like this: Aug 11 11:54:42 localhost kernel: IT out rej rest IN= OUT=eth0 SRC=<my_host_ip_here> DST=12.166.243.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4096DF PROTO=TCP SPT=45975 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0 12.166.243.30 is one of Verisign's IP addresses. So autoproxy settings are not used in OCSP? A bug or a feature? For example trying with the mentioned settings to connect to the URI <https://swww.canada.etrade.com/login.shtml>, I'll get this dialog window: "Error establishing and excrypted connection to swww.canada.etrade.com. Error Code: -5961" When [OK] is hit, I'll get this dialog window: "The Document contains no data." Reproducible: Always Steps to Reproduce: 1. Set up manual proxy for HTTP and port number to something else bug 80/tcp 2. Block outgoing traffix to port 80/tcp by a firewall and enable logging. 3. Enable OCSP checking in the browser's settings 4. Surf to https://swww.canada.etrade.com/login.shtml Actual Results: "Error establishing and excrypted connection to swww.canada.etrade.com. Error Code: -5961" Expected Results: The site should work and HTTPS connection made? If OCSP is disabled, it works. This bug is somewhat related to bug 130885 and I first tried to report this bug there in the comments. http://bugzilla.mozilla.org/show_bug.cgi?id=130885 example file:///tmp/autoproxy.pac file: function FindProxyForURL(url, host) { return "PROXY proxyIPaddressHere:8081"; } Example iptables command to block and log outgoing traffic to 80/tcp: iptables -I OUTPUT -j REJECT -p tcp --dport 80 iptables -I OUTPUT -j LOG -p tcp --dport 80 --log-prefix "IT out rej tcp80 "

This line: "Steps to Reproduce: 1. Set up manual proxy for HTTP and port number to something else bug 80/tcp" should be... "Steps to Reproduce: 1. Set up manual proxy for HTTP and HTTPS and port number to something else but 80/tcp"

Crypto bugs are not Browser bugs. Use the PSM or NSS products when filing crypto bugs. Anyway, this is a known limitation. OCSP and proxies do not mix. *** This bug has been marked as a duplicate of 111384 ***

Well the OCSP traffic seems to be just HTTP/1.0 traffic, not HTTPS (looked through ethereal), so I thought this is just a proxy bug because proxy is forgotten to be used in this situation. And the bugzilla suggested problems with proxy should be in Browser+HTTP-bugs. Well ok, PSM in this situation just uses HTTP instead of HTTPS to complete the job. The browser sends "POST / HTTP/1.0" with all usual HTTP-headers to the OCSP site (ocsp.verisign.com) and the server sends "HTTP/1.0 200 OK" after the HTTP-request. Then TCP connection is closed. Quickly looking, I don't see any problems not to use proxy. But yes I see it is a bug in OCSP if they don't define in the RFC how proxies could or MAY be used.