From mboxrd@z Thu Jan 1 00:00:00 1970 From: peter.mueller@ipfire.org To: development@lists.ipfire.org Subject: patchwork.ipfire.org does not supply OCSP information (was: Re: patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING) Date: Sun, 13 Oct 2019 09:31:00 +0000 Message-ID: <3db13698-1383-6eb4-040c-cce9a47ce0c4@ipfire.org> In-Reply-To: <59daa934-17fd-86fd-6533-dd0008ea4ca5@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0712274225036614148==" List-Id: --===============0712274225036614148== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Matthias, thanks for noticing this. This happens if a server presents a certificate with the "OCSP must stapling" flag set, but does not supply valid OCSP information at the same time. Since OCSP has some major disadvantages if used by clients (DoS vs. fail-open behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered to be a better option. As far as I am concerned, we have those flag set on all of our certificates except for mail01, as mail server usually do not support OCSP. I can confirm visiting https://patchwork.ipfire.org/ shows the same error, in several browsers and from several countries. Forum, Wiki, et al. seem to work fine. This looks like a server configuration issue, the certificates issued by Let's Encrypt are fine. @Michael: Could you have a look at this? Thanks, and best regards, Peter M=C3=BCller > Hi, >=20 > today, suddenly patchwork.ipfire.org stopped working. Reloading the page > several times doesn't help. Firefox 69.0.3 keeps telling me: >=20 > ***SNIP*** > Secure Connection Failed >=20 > An error occurred during a connection to patchwork.ipfire.org. A > required TLS feature is missing. Error code: > MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING >=20 > The page you are trying to view cannot be shown because the > authenticity of the received data could not be verified. > Please contact the website owners to inform them of this problem. > ***SNAP*** >=20 > Setting "security.ssl.enable_ocsp_must_staple" in about:config to > "false" temporarily fixes this, but could it be that there is a problem > with the "Let's Encrypt" certificate!? >=20 > Can anyone confirm? >=20 > Best, > Matthias >=20 > P.S.: Possible solution (german!) > =3D> > https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-time= out/ >=20 --===============0712274225036614148==--