Confirmed users, Administrators
5,526
edits
CA/Revocation Checking in Firefox: Difference between revisions
Jump to navigation
Jump to search
Added info about OCSP caching and nextUpdate
m (deleted sentence that wasn't entirely correct, and was unnecessary.) |
(Added info about OCSP caching and nextUpdate) |
||
| Line 63: | Line 63: | ||
If the OCSP server returns a status of “unknown”, Firefox will display the “SEC_ERROR_OCSP_UNKNOWN_CERT” error in a non-overrideable error message, regardless of the security.ocsp.require preference. Similarly, if the OCSP responder returns an error such as “trylater”, Firefox will display an error message. | If the OCSP server returns a status of “unknown”, Firefox will display the “SEC_ERROR_OCSP_UNKNOWN_CERT” error in a non-overrideable error message, regardless of the security.ocsp.require preference. Similarly, if the OCSP responder returns an error such as “trylater”, Firefox will display an error message. | ||
Notes: | |||
* Firefox [https://hg.mozilla.org/mozreview/gecko/rev/2249d58c94c867628b83d6c32eb0b5f64812a05c#index_header no longer] performs OCSP fetching using the HTTP GET method; Firefox uses the HTTP POST method. | |||
* Firefox caches OCSP responses until they expire or Firefox is restarted (the cache is not persistent). | |||
* If an OCSP response has no "nextUpdate", it is valid for 24 hours (plus "slop" of another 24 hours to deal with clock skew). | |||
* The maximum lifetime of an OCSP response for an end-entity is 10 days, even if the the "nextUpdate" value is farther in the future. | |||
=== CRLite === | === CRLite === | ||