The response is securely delivered by the server with the TLS/SSL handshake to the Web browser. The OCSP response is good for hours or days so this avoids client's browser creating connections to the CA, which saves time. OCSP Stapling enhances the OCSP protocol by allowing the Web server to query the CA's OCSP responder directly and then cache the response for its clients. If the certificate has been revoked, the browser finds out in real-time. OCSP is much more efficient because the browser simply asks the CA if a certificate is valid by posting a query, and the server responds to the query by providing the answer. Unlike OCSP, which responds in real-time, using CRL is much slower. Obviously, an outdated list can be a big security risk. The list is signed by the Certificate Authority (CA) and has to be regularly updated by the CA. The CRL is a list of serial numbers of certificates that have been revoked. In the past, when a client wanted to check the status or validity of an SSL certificate, it used the Certification Revocation List (CRL). The Online Certificate Status Protocol (OCSP) is a newer protocol used to verify the status of an SSL certificate. Anyone who works with SSL certificates will find this information useful. Let's talk about OCSP and OCSP Stapling and then I will talk about the solution for the Secure Connection Failed error. If there is an urgent situation where you need to get back into your site in a hurry you can use this workaround. Because I am aware of the advantages of OCSP Stapling, I think disabling it is a bad idea for privacy and performance reasons.That's why I have been referring to it as a "workaround" rather than a solution. Others would have to make the exact same change, so it's not a practical workaround. Even though this workaround solved my problem, it wouldn't have solved this problem for everyone else on the Internet who might be visiting my public Web site.There are two main reasons that I decided to avoid disabling the OCSP Stapling. There are some advantages and disadvantages of OCSP Stapling and you have to decide what's best for your environment. Okay, you made the change and now you can get to the Web site, but was that a smart thing to do? The answer depends on how much you know about Online Certificate Status Protocol (OCSP) and OCSP Stapling. Should You Implement the Above Workaround? Whether that's a good or bad thing is discussed in the next section. As soon as you make the change in Firefox, you will be able to access all the sites that are using the certificate and causing the Secure Connection Failed error in Firefox.The default value is false and double-clicking this option toggles between true and false values. Double-click the line, which will change the value in the last column from true to false.Type about:config in the address bar and press Enter.This can be used as a temporary solution to get to the Web site, but it has some consequences that are discussed in the next section. Here's a workaround that will disable the OCSP Stapling in Firefox. There are times when I have made exceptions to my rule, depending on the situation and the type of risk I am willing to take. If I don't have a clue what I am doing, I don't implement the solution. I like to understand what I am doing, try to figure out if it has any security implications backup my configuration, files, plugin, registry, or whatever I am working with, and then carefully implement a solution. I am a security-conscience person who doesn't implement a solution just because it worked for someone on the Internet. I found a workaround on the Internet that allowed me to connect to my site every single time on any computer where I made the change in Firefox configuration. When I ran into this issue, I was on Firefox version 53.0.3, which was the latest version available, so updating my browser wasn't an option. While troubleshooting the issue, I learned that a Firefox update in the past had solved this issue. This information was useful for me in troubleshooting the problem and eventually resolving it successfully. Looking at the error message, it was obvious to me that the Web browser had trouble creating the connection due to an invalid signature in the Online Certificate Status Protocol (OCSP) response. They were not sure how to solve the problem. I called my hosting provider and they were also able to duplicate the error, but only on Firefox. I even tried logging into Firefox on a computer in a different state (California) and got the same error. The sites gave the Secure Connection Failed error only in Mozilla Firefox. All the sites using the UCC certificate worked flawlessly in both Chrome and Internet Explorer on multiple computers. Some of you may have noticed that I said the sites "stopped working in Mozilla Firefox." That's right.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |