This site's OCSP certificate is invalid Topic is solved

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
Mæstro
Lunatic
Lunatic
Posts: 463
Joined: 2019-08-13, 00:30
Location: Casumia

This site's OCSP certificate is invalid

Unread post by Mæstro » 2023-02-14, 17:52

A screenshot (in German) has been attached; this had appeared on accessing this forum. To access this site and report this, I had needed disable OCSP in the advanced settings. This error had appeared only today; all had worked as it ought to have yesterday.
Attachments
Unbenannt.png
Browser: Pale Moon (Pusser’s repository for Debian)
Operating System: Linux Mint Debian Edition 4 (amd64)
※Receiving Debian 10 LTS security upgrades
Hardware: HP Pavilion DV6-7010 (1400 MHz, 6 GB)
Formerly user TheRealMaestro: æsc is the best letter.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: This site's OCSP certificate is invalid

Unread post by Moonchild » 2023-02-14, 18:05

Are you forcing OCSP verification and treating OCSP failures as errors? You shouldn't.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Mæstro
Lunatic
Lunatic
Posts: 463
Joined: 2019-08-13, 00:30
Location: Casumia

Re: This site's OCSP certificate is invalid

Unread post by Mæstro » 2023-02-14, 18:12

Yes, I use ordinarily the settings shown in the screenshot. To access this site, I had unticked both boxes. What is the purpose and intended use for these options?
(Curiously, the site appears now to work as normal, with these boxes ticked again. It would seem the error was momentary, so I see this question, unless the site lapses, as informative only.)
Attachments
Unbenannt.png
Browser: Pale Moon (Pusser’s repository for Debian)
Operating System: Linux Mint Debian Edition 4 (amd64)
※Receiving Debian 10 LTS security upgrades
Hardware: HP Pavilion DV6-7010 (1400 MHz, 6 GB)
Formerly user TheRealMaestro: æsc is the best letter.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: This site's OCSP certificate is invalid

Unread post by Moonchild » 2023-02-14, 18:18

The second of the options is not recommended (and not the default in Pale Moon!). OCSP servers aren't always reliably available and it will fall back to standard certificate checks in that case.
You should not treat an OCSP failure as an invalid certificate unless you have explicit need for requiring revocation information to be checked and verified every time you access the server (some high sec environments do require this but as an end user you shouldn't need this).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked