I've been running with "strict OCSP" for quite a while, and I've also enabled "NSS' libPKIX verification engine", which will perform additional OCSP checks (e.g. checking intermediate CA certificates). I run into OCSP related failures several times a day. The experience is frustrating and, in my opinion, is not yet ready for end users, because: - I often get (temporary) OCSP server failures - sometimes OCSP server failures are remembered as "revoked", even though it's (probably) just an OCSP server connectivity issue - sometimes the NSS libpkix engine reports errors as "revoked", but it works after I restart the browsers (thereby flushing our OCSP cache) - it's impossible to distinguish OCSP server failures from cert revocation - it's impossible to know which OCSP server is causing the problems Debugging/Analysis is difficult, because we don't report any details about OCSP failures. I sometimes have to guess. Sometimes I have to do painful tracing of the libPKIX library. In order to resolve this, we should at least dump more details into the error console. I currently explore if the CERTVerifyLog contains sufficient information, and if yes, how to convert it to a summary for error messages.

This patch is a first attempt to display details of verification failures in the error console.

I think the error codes reported by mozilla::pkix / certverifier are a bit more clear now. Feel free to reopen if they need further improvement.