[dns-operations] OARC's Open DNSSEC Validating Resolver project

Geoffrey Sisson geoff at geoff.co.uk
Thu Nov 6 04:03:34 UTC 2008


joe at oregon.uoregon.edu (Joe St Sauver) wrote:

> When I try to visit that page with Firefox, I get "Alert: Error establishing 
> an encrypted connection to www.ripe.net. Error Code: -8048." with an OK 
> button.
>
> www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html says that
> a -8048 is "Invalid OCSP signing certificate in OCSP response." for what
> that may be worth. 
>
> Are others also seeing that error?

The OCSP service for ipsCA (the CA that issued the cert for
https://www.ripe.net/) is broken in several ways.  Firstly, it uses a
certificate that's not in any of the major x509 TA repositories (Firefox,
Opera, OS X, Microsoft).  Secondly, even if you explicitly import the
missing certificate, it's not authorised to validate the OCSP responses
it was used to sign (!).

Most browsers don't mind because OCSP checking is either unimplemented,
dSisabled, or OCSP failures are silently ignored by default (I'm not sure
about IE 7).  I have strict OCSP checking enabled in Firefox so I got
the same error Joe did.  The work-around for Firefox is to restore the
default OCSP settings:

    Preferences -> Advanced -> Encryption -> Validation ->
	uncheck "When an OCSP server connection fails, treat
	the certificate as invalid".

Someone from RIPE might want to have a word with ipsCA.

Geoff



More information about the dns-operations mailing list