From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: patchwork.ipfire.org does not supply OCSP information Date: Sun, 13 Oct 2019 13:17:04 +0200 Message-ID: <40c98aed-9b80-8879-709e-29c8f2e65c23@ipfire.org> In-Reply-To: <3db13698-1383-6eb4-040c-cce9a47ce0c4@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4464729882686916794==" List-Id: --===============4464729882686916794== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 13.10.2019 11:31, peter.mueller(a)ipfire.org wrote: > Hello Matthias, Hi Peter, > thanks for noticing this. No problem - should I open a "Bugzilla" for this? Best, Matthias > This happens if a server presents a certificate with the "OCSP must staplin= g" > flag set, but does not supply valid OCSP information at the same time. Since > OCSP has some major disadvantages if used by clients (DoS vs. fail-open > behaviour, privacy issues, etc.), "OCSP must stapling" is generally conside= red > to be a better option. >=20 > As far as I am concerned, we have those flag set on all of our certificates > except for mail01, as mail server usually do not support OCSP. >=20 > I can confirm visiting https://patchwork.ipfire.org/ shows the same error, > in several browsers and from several countries. Forum, Wiki, et al. seem to > work fine. This looks like a server configuration issue, the certificates > issued by Let's Encrypt are fine. >=20 > @Michael: Could you have a look at this? >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hi, >>=20 >> today, suddenly patchwork.ipfire.org stopped working. Reloading the page >> several times doesn't help. Firefox 69.0.3 keeps telling me: >>=20 >> ***SNIP*** >> Secure Connection Failed >>=20 >> An error occurred during a connection to patchwork.ipfire.org. A >> required TLS feature is missing. Error code: >> MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING >>=20 >> The page you are trying to view cannot be shown because the >> authenticity of the received data could not be verified. >> Please contact the website owners to inform them of this problem. >> ***SNAP*** >>=20 >> Setting "security.ssl.enable_ocsp_must_staple" in about:config to >> "false" temporarily fixes this, but could it be that there is a problem >> with the "Let's Encrypt" certificate!? >>=20 >> Can anyone confirm? >>=20 >> Best, >> Matthias >>=20 >> P.S.: Possible solution (german!) >> =3D> >> https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-tim= eout/ >>=20 >=20 --===============4464729882686916794==--