Amazon SSL login issue

[L Bell]

I've got a problem logging into my Amazon account (https) .

Running Pale Moon 24.7.1 for Linux, as found in the Tahrpup 6.0.2 distro.

I've enabled the ssl3 options as described in the warning post, as well as the security.tls.version.min value, which was already set to '0'.

The error displayed is:

"An error occurred during a connection to http://www.amazon.com.
The OCSP response is not yet valid (contains a date in the future).
(Error code: sec_error_ocsp_future_response)."

Is there a solution to this, so I don't have to revert to inferior browsers?

BTW, the progress bar is really nice for someone who has to use a 26.4 Kbps connection frequently.. . .

Thanks for any insight into this.

[Moonchild]

Please make sure your date, time and timezone are correct.

[L Bell]

Thank you.

I checked and the hardware and system clock/date are accurate, at least within two minutes.

Seamonkey and FF work on the links from within a few versions of Puppy (431, Slacko 5.7) and Chrome and FF under XP. I'll try rebooting tahrpup in case it is some system glitch.

Perhaps the firewall that came with this pup is doing it.

Here's where to verify the error. Go to Amazon.com as an unknown (new) person, then select 'login', and the error will follow shortly after it tries to negotiate the secure link. (repeated in/output activity occurs before the message). Gratis

[L Bell]

Same error occurs here, when trying to edit my prefs from "User Control Panel".

PM reports:

"Secure Connection Failed

An error occurred during a connection to forum.palemoon.org. The OCSP response is not yet valid (contains a date in the future). (Error code: sec_error_ocsp_future_response)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site."

What could this be? My date and time at this moment is Saturday, 16 May, 2015 at 08:12 PST (GMT -8).

[dark_moon]

The OCSP response is not yet valid (contains a date in the future)

Your date is wrong.

[squarefractal]

As a temporary workaround, you can set security.ssl.allow_unsafe_ocsp_response to true from about:config.

I stand corrected: apparently this response is only for expired OCSP responses, not for those in the future.

[Moonchild]

As a temporary workaround, you can set security.ssl.allow_unsafe_ocsp_response to true from about:config.

No, you can't. Please don't suggest preferences unless you know what they are for.

[Moonchild]

@L Bell

Did you check your time zone as well?

[L Bell]

You folks solved it. The clock was approximately 1 minute 30 seconds in the future.

I used the 'Time Server Synchroniser' in PupClockset, which put me a few milli-seconds behind real-time, and now the page loads like a charm. Thanks for hammering me on this, and permission granted to make fun of me, or erase this thread. Sorry for the waste of time, but perhaps someone else might experience this.

No more time traveling for me!

[L Bell]

Update:

Amazons' SSL pages, at least all I tried, load fine from Pale Moon with the config flags mentioned set to 'false'. Now I'm really embarrassed.

The flags are as follows, for reference.

In the tahrpup 6.0.2 distro, with P.M. version 24.7.1, these were default as 'true'. (I'm aware these were changed in the new version(s) due to the known security risks clearly posted)

security.ssl3.rsa_rc4_128_sha (I, 'user' set to false)
security.ssl3.rsa_rc4_128_md5 (I, 'user' set to false),

security.tls.version.min (was set to '0' as default) Is this correct, or should it be raised?

Also noticed a flag in the same range:

security.ssl3.rsa_fips_des_ede3_sha was user set to true. Is this correct and safe?

I'm guessing that the 'user' who made the tahrpup distro made these changes in the config, and when making the image, it was a snapshot with all tweaked settings he was using.

Any comments ? (more on this wonderful browser in a separate post, to stay on topic)

LB

[Moonchild]

In Pale Moon 24.7.1, the RC4 ciphers were still enabled by default. RC4 was only disabled in 25.3, and similarly, the minimum protocol version was only set to TLS1 (pref set to 1 instead of 0) in 25.0.2 -- These are not user changes of the person packaging the browser, these are the defaults in the older version.

security.ssl3.rsa_fips_des_ede3_sha was user set to true. Is this correct and safe?

3DES still offers sufficient security for normal use, even though the encryption is relatively weak (only 112-bits encryption effectively). There are no clearly exploitable vulnerabilities in 3DES and it can only be broken with brute force, which is currently not feasible. Rough estimates, if no specific vulnerabilities are found would put it in the "safe enough" zone until about 2030 (estimate of 2007 by NIST).

[L Bell]

Thanks for helping it make sense.

Side note: Installed the Atom/XP version, and the default security settings work fine on the several places I visit that use SSL.

I'll post a question regarding running this version on a really old machine (2004 ASUS Salmon motherboard with only 1GB ram) after finishing other obligations.

Also was wondering if there is a .pet version for installing newer versions of PM within types of Puppy?

[trava90]

Off-topic:

Also was wondering if there is a .pet version for installing newer versions of PM within types of Puppy?

I believe there are, but not sure where or if they are up to date. You may check the Puppy Linux forum. You can also use our installer to install new versions as they become available.