From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: patchwork.ipfire.org does not supply OCSP information
Date: Sun, 13 Oct 2019 13:17:04 +0200 [thread overview]
Message-ID: <40c98aed-9b80-8879-709e-29c8f2e65c23@ipfire.org> (raw)
In-Reply-To: <3db13698-1383-6eb4-040c-cce9a47ce0c4@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2065 bytes --]
On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote:
> Hello Matthias,
Hi Peter,
> thanks for noticing this.
No problem - should I open a "Bugzilla" for this?
Best,
Matthias
> This happens if a server presents a certificate with the "OCSP must stapling"
> flag set, but does not supply valid OCSP information at the same time. Since
> OCSP has some major disadvantages if used by clients (DoS vs. fail-open
> behaviour, privacy issues, etc.), "OCSP must stapling" is generally considered
> to be a better option.
>
> As far as I am concerned, we have those flag set on all of our certificates
> except for mail01, as mail server usually do not support OCSP.
>
> I can confirm visiting https://patchwork.ipfire.org/ shows the same error,
> in several browsers and from several countries. Forum, Wiki, et al. seem to
> work fine. This looks like a server configuration issue, the certificates
> issued by Let's Encrypt are fine.
>
> @Michael: Could you have a look at this?
>
> Thanks, and best regards,
> Peter Müller
>
>
>> Hi,
>>
>> today, suddenly patchwork.ipfire.org stopped working. Reloading the page
>> several times doesn't help. Firefox 69.0.3 keeps telling me:
>>
>> ***SNIP***
>> Secure Connection Failed
>>
>> An error occurred during a connection to patchwork.ipfire.org. A
>> required TLS feature is missing. Error code:
>> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
>>
>> The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>> Please contact the website owners to inform them of this problem.
>> ***SNAP***
>>
>> Setting "security.ssl.enable_ocsp_must_staple" in about:config to
>> "false" temporarily fixes this, but could it be that there is a problem
>> with the "Let's Encrypt" certificate!?
>>
>> Can anyone confirm?
>>
>> Best,
>> Matthias
>>
>> P.S.: Possible solution (german!)
>> =>
>> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/
>>
>
next prev parent reply other threads:[~2019-10-13 11:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-12 23:25 patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING Matthias Fischer
2019-10-13 9:31 ` patchwork.ipfire.org does not supply OCSP information (was: Re: patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING) peter.mueller
2019-10-13 11:17 ` Matthias Fischer [this message]
2019-10-13 16:01 ` patchwork.ipfire.org does not supply OCSP information Michael Tremer
2019-10-13 16:20 ` Matthias Fischer
2019-10-13 13:05 ` patchwork.ipfire.org => Error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING Michael Tremer
2019-10-13 15:58 ` Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40c98aed-9b80-8879-709e-29c8f2e65c23@ipfire.org \
--to=matthias.fischer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox