Visit http://bankieren.rabobank.nl/klanten/ This website uses an EV-certificate. After upgrading Firefox to version 8 (previous version 7.0.1) the site identity button is blue instead of green. If I enable this preference: advanced => encryption => validation => "When an OCSP server connection fails, treat the certificate as invalid", then I get this error message when visiting the website: sec_error_ocsp_bad_http_response Looking at the HTTP headers, this seems related to the fact that the OCSP request is rejected by our proxy server due to lack of authentication. This does not happen when using Firefox 7.0.1 (not all computers have been upgraded to Firefox 8 yet).

Correction: URL in the first post is wrong. Correct URL is https://bankieren.rabobank.nl/klanten

I cannot load any HTTPS pages after upgrading to Firefox 8.0. I have (and had) OCSP validation enabled, including the "When an OCSP server connection fails, treat the certificate as invalid" option. After upgrading from Firefox 7.0.1 to 8.0, however, all OCSP requests to our MS ISA Server proxy are rejected by this proxy with a message saying authentication (my Active Directory credentials) was not supplied. Chrome and IE7 still successfully load HTTPS pages, either because they provide authentication or do not check the OCSP server (I have certificate validation enabled in the Chrome options, but did not see OCSP traffic using Wireshark.) Here's a sample Wireshark capture of the OCSP traffic to the proxy when trying to connect to Gmail: POST http://ocsp.thawte.com/ HTTP/1.1 Host: ocsp.thawte.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en-nz;q=0.9,en;q=0.8,en-us;q=0.7,nl;q=0.6,de-de;q=0.5,de;q=0.4,fr-fr;q=0.3,fr;q=0.2,cs;q=0.1 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Proxy-Connection: keep-alive Content-Length: 115 Content-Type: application/ocsp-request <<request data removed>> HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) Via: 1.1 OURPROXY Proxy-Authenticate: Negotiate Proxy-Authenticate: Kerberos Proxy-Authenticate: NTLM Connection: Keep-Alive Proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 4117 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Error Message</TITLE>

The problem is LOAD_ANONYMOUS doesn't do the correct thing. See http://adblockplus.org/blog/why-you-do-not-want-to-use-the-load_anonymous-flag. There are other bugs filed about the same problem with LOAD_ANONYMOUS, e.g. bug 627616 that require the same solution: Have LOAD_ANONYMOUS skip HTTP authentication and have it avoid sending cookies, but don't have it skip HTTP proxy authentication.

Simply said: LOAD_ANONYMOUS should not affect Proxy-Authorization header, right? It means to change nsHttpChannelAuthProvider::ProcessAuthentication.

Changing the summary because this is more general problem.

Honza, I think we should back out the patch that caused this and nominate it for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more generally. I think it is more complicated than changing the meaning of LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the meaning of LOAD_ANONYMOUS. We should fix the regression before taking more time to figure out exactly what to do long-term.

(In reply to Brian Smith (:bsmith) from comment #8) > Honza, I think we should back out the patch that caused this and nominate it > for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more > generally. I think it is more complicated than changing the meaning of > LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the > meaning of LOAD_ANONYMOUS. We should fix the regression before taking more > time to figure out exactly what to do long-term. What is the regression bug/patch you want to back out?

Honza, here is my WIP. I didn't even try to build it and I am not sure what other things need to be changed. Thanks for taking this bug.

clearing sec-review flag, this likely needs careful testing from QA but we don't see direct action for us

What's the status on this? I just turned mandatory OCSP checking back on in Firefox 9.0.1 and I don't see any problems so far.

The patch that caused this regression was backed out. This bug is for restoring the change in that patch in a way that doesn't cause this regression.

(In reply to bugzilla_moz.20.ibyte from comment #12) > What's the status on this? I just turned mandatory OCSP checking back on in > Firefox 9.0.1 and I don't see any problems so far. Just for ref: Bug 703024.