I browse on paranoid mode, and have Pale Moon configured to reject pages in case OCSP response does not arrive.
Issue 1: Unfortunately, a lot of OCSP servers are slow and take long time to respond and the page times out.
Bug / Issue 2: When OCSP request times out/unavailable, hitting refresh button does not restart OCSP request process, instead it attempts to restart handshake. This, with my configuration of mandatory OCSP look-up, does nothing.
Possible fix:
If Pale Moon is configured to "When an OCSP server connection fails, treat the certificate as invalid", refresh button also has to re-attempt OCSP request.
Thank you, and keep up good work!
Bug: OCSP timeout and refresh page
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
joe04
Re: Bug: OCSP timeout and refresh page
Soft fail is an inherent flaw of OCSP, not a browser bug. All browsers that use OCSP have it set to soft fail as a necessary default, because hard fail mode exposes the flaws of the system itself. (This is what OP is experiencing.)
Some more info:
viewtopic.php?f=26&t=13105
Some more info:
viewtopic.php?f=26&t=13105
Re: Bug: OCSP timeout and refresh page
It's not an inherent flaw of the protocol itself, but it is a common occurrence that OCSP requests time out for a multitude of reasons (most often due to routing or due to overload of the OCSP server). Because the "soft fail" approach is common for all web browsers by default, with some even going ahead and trying to be their own revocation server preferred over industry-standard OCSP use (either stapled or not), there isn't much pressure to solve failing OCSP requests. And there we have the status quo for OCSP in a nutshell.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite