From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: patchwork.ipfire.org does not supply OCSP information Date: Sun, 13 Oct 2019 17:01:08 +0100 Message-ID: <3B51BF34-80AE-42D4-BE77-254C917E21B6@ipfire.org> In-Reply-To: <40c98aed-9b80-8879-709e-29c8f2e65c23@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3049698423174099026==" List-Id: --===============3049698423174099026== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable It is fixed again. > On 13 Oct 2019, at 12:17, Matthias Fischer = wrote: >=20 > On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote: >> Hello Matthias, >=20 > Hi Peter, >=20 >> thanks for noticing this. >=20 > No problem - should I open a "Bugzilla" for this? Yes, you can do that if you want to in the Infrastructure section. >=20 > Best, > Matthias >=20 >> This happens if a server presents a certificate with the "OCSP must stapli= ng" >> flag set, but does not supply valid OCSP information at the same time. Sin= ce >> OCSP has some major disadvantages if used by clients (DoS vs. fail-open >> behaviour, privacy issues, etc.), "OCSP must stapling" is generally consid= ered >> to be a better option. >>=20 >> As far as I am concerned, we have those flag set on all of our certificates >> except for mail01, as mail server usually do not support OCSP. >>=20 >> I can confirm visiting https://patchwork.ipfire.org/ shows the same error, >> in several browsers and from several countries. Forum, Wiki, et al. seem to >> work fine. This looks like a server configuration issue, the certificates >> issued by Let's Encrypt are fine. >>=20 >> @Michael: Could you have a look at this? >>=20 >> Thanks, and best regards, >> Peter M=C3=BCller >>=20 >>=20 >>> Hi, >>>=20 >>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page >>> several times doesn't help. Firefox 69.0.3 keeps telling me: >>>=20 >>> ***SNIP*** >>> Secure Connection Failed >>>=20 >>> An error occurred during a connection to patchwork.ipfire.org. A >>> required TLS feature is missing. Error code: >>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING >>>=20 >>> The page you are trying to view cannot be shown because the >>> authenticity of the received data could not be verified. >>> Please contact the website owners to inform them of this problem. >>> ***SNAP*** >>>=20 >>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to >>> "false" temporarily fixes this, but could it be that there is a problem >>> with the "Let's Encrypt" certificate!? >>>=20 >>> Can anyone confirm? >>>=20 >>> Best, >>> Matthias >>>=20 >>> P.S.: Possible solution (german!) >>> =3D> >>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-ti= meout/ >>>=20 >>=20 >=20 --===============3049698423174099026==--