From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: patchwork.ipfire.org does not supply OCSP information
Date: Sun, 13 Oct 2019 18:20:44 +0200
Message-ID: <0afa8fc0-7008-03b3-633f-4d6eb9891e06@ipfire.org>
In-Reply-To: <3B51BF34-80AE-42D4-BE77-254C917E21B6@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9109372129348827654=="
List-Id: <development.lists.ipfire.org>

--===============9109372129348827654==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On 13.10.2019 18:01, Michael Tremer wrote:
> It is fixed again.

Yes, it's fixed - tested and confirmed. Thanks again! ;-)

>> On 13 Oct 2019, at 12:17, Matthias Fischer <matthias.fischer(a)ipfire.org>=
 wrote:
>>=20
>> On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
>>> Hello Matthias,
>>=20
>> Hi Peter,
>>=20
>>> thanks for noticing this.
>>=20
>> No problem - should I open a "Bugzilla" for this?
>=20
> Yes, you can do that if you want to in the Infrastructure section.
>=20
>>=20
>> Best,
>> Matthias
>>=20
>>> This happens if a server presents a certificate with the "OCSP must stapl=
ing"
>>> flag set, but does not supply valid OCSP information at the same time. Si=
nce
>>> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
>>> behaviour, privacy issues, etc.), "OCSP must stapling" is generally consi=
dered
>>> to be a better option.
>>>=20
>>> As far as I am concerned, we have those flag set on all of our certificat=
es
>>> except for mail01, as mail server usually do not support OCSP.
>>>=20
>>> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
>>> in several browsers and from several countries. Forum, Wiki, et al. seem =
to
>>> work fine. This looks like a server configuration issue, the certificates
>>> issued by Let's Encrypt are fine.
>>>=20
>>> @Michael: Could you have a look at this?
>>>=20
>>> Thanks, and best regards,
>>> Peter M=C3=BCller
>>>=20
>>>=20
>>>> Hi,
>>>>=20
>>>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>>>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>>>>=20
>>>> ***SNIP***
>>>> Secure Connection Failed
>>>>=20
>>>> An error occurred during a connection to patchwork.ipfire.org. A
>>>> required TLS feature is missing. Error code:
>>>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>>>=20
>>>>    The page you are trying to view cannot be shown because the
>>>> authenticity of the received data could not be verified.
>>>>    Please contact the website owners to inform them of this problem.
>>>> ***SNAP***
>>>>=20
>>>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>>>> "false" temporarily fixes this, but could it be that there is a problem
>>>> with the "Let's Encrypt" certificate!?
>>>>=20
>>>> Can anyone confirm?
>>>>=20
>>>> Best,
>>>> Matthias
>>>>=20
>>>> P.S.: Possible solution (german!)
>>>> =3D>
>>>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-t=
imeout/
>>>>=20
>>>=20
>>=20
>=20
>=20


--===============9109372129348827654==--