Copernic Reporter Posted September 15, 2014 Reporter Share Posted September 15, 2014 I keep getting this error trying to login into the forums. I had to disable the Firefox ocsp so I can login. Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted September 15, 2014 Administrators Share Posted September 15, 2014 Reported, but I have no idea what ocsp is :s Link to comment Share on other sites More sharing options...
+Zlip792 MVC Posted September 15, 2014 MVC Share Posted September 15, 2014 Reported, but I have no idea what ocsp is :s http://en.wikipedia.org/wiki/OCSP_stapling https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx Firefox recently turned it on with other features and also disabled few cipher suites. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 15, 2014 MVC Share Posted September 15, 2014 OCSP (Online Certificate Status Protocol) is method of checking if cert has been revoked.. Newer version of CRLs http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol Does seem like there is a bit of an issue budman@ubuntu:~$ openssl ocsp -issuer chain.pem -cert neowin.pem -text -url http://ocsp2.globalsign.com/OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 5E197415FEDA9457748D31113EB36E5E47FBE18F Issuer Key Hash: 5D46B28DC44B741CBBEDF573B63AB7388F759E7E Serial Number: 1121888B5C3387E608A18F735BBFB0B6C13C Request Extensions: OCSP Nonce: 04104B3AE9978E9F046C2E49597D5BA9FCE2Error querying OCSP responsder3074397884:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden You can get your oscp url via checking the cert budman@ubuntu:~$ openssl s_client -connect neowin.net:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > neowin.pembudman@ubuntu:~$ openssl x509 -noout -ocsp_uri -in neowin.pemhttp://ocsp2.globalsign.com/gsorganizationvalg2 So yeah you got an issue.it seems.. edit: Hmmm --- its been a while since I have had to do this.. Maybe I am not doing it correct.. Let me double check this.. But I know I pulled your oscp url correctly.. But you have to pull the full chain, I might be messing up the test there.. Let me double check. edit2: So to me your ocsp url is http://ocsp2.globalsign.com/gsorganizationvalg2 But get a 403 error on the url. So yeah that would cause problem with checking the cert.. I have to run for work.. But will look into this a bit more if get a chance. +Zlip792 1 Share Link to comment Share on other sites More sharing options...
DaveLegg Developer Posted September 15, 2014 Developer Share Posted September 15, 2014 Hopefully get this sorted later today. Link to comment Share on other sites More sharing options...
Recommended Posts