• The site has now migrated to Xenforo 2. If you see any issues with the forum operation, please post them in the feedback thread.
  • Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
  • For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
  • Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
  • Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
  • The rules regarding NSFW links have been updated. See here for details.

HTTPS Error: sec_error_ocsp_try_server_later

macdjord

Well worn.
Joined
Feb 20, 2013
Messages
8,995
Likes received
38,273
Every time I try to access any QQ page over HTTPS, I get:
Secure Connection Failed
An error occurred during a connection to forum.questionablequesting.com. The OCSP server suggests trying again later. (Error code: sec_error_ocsp_try_server_later)
Click to expand...
Click to shrink...
 
Okay, the workaround works, but I'm not particularly comfortable disabling a global security option just to fix one site. I assume some permanent fix is in the works?
 
This should now be fixed on the server-side (though just via disabling OCSP stapling there).

OCSP stapling isn't even really a "security" option; it's a "performance" option. The alternative is for the browser to do its own OCSP requests, which it may well ignore (if e.g. it gets even that same tryLater code as was stapled here). I'm really not sure what the notional security gain is, given that constraint. But eh.
 
alethiophile said:
This should now be fixed on the server-side (though just via disabling OCSP stapling there).

OCSP stapling isn't even really a "security" option; it's a "performance" option. The alternative is for the browser to do its own OCSP requests, which it may well ignore (if e.g. it gets even that same tryLater code as was stapled here). I'm really not sure what the notional security gain is, given that constraint. But eh.
Click to expand...
Click to shrink...
Hi,

I never experienced this issue before, but today I started getting the OCSP issue reported by the OP. I had to disable querying OCSP responder services just to post this message. Did the fix get reverted or something?
 
Experiencing a similar problem on Firefox, but not Chromium:
Secure Connection Failed

An error occurred during a connection to forum.questionablequesting.com. The OCSP server has no status for the certificate. (Error code: sec_error_ocsp_unknown_cert)
  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.
Click to expand...
Click to shrink...
 
Fundamentally, OCSP errors are not really addressable by QQ as a software suite or as a server. The OCSP protocol is used to check the validity of certificates at run-time, and it's purely between the user's browser and the CA; our server never gets involved. Thus, there's little we can do about many of them.

The earlier error was due to OCSP stapling, a server feature which routes OCSP requests through the QQ server. As best I can tell, this remains disabled even on the new hosting. And in fact, disabling it was only ever a patch fix; the fundamental issue — which was with the CA's OCSP servers — remained. Turning off stapling just made the browser ignore it again.

If this goes on for too long, we can try to contact the CA and get them to look into fixing it. However, that's an inherently unreliable process. Users affected should probably just disable OCSP until the problem goes away; this is notionally a security flaw, but only a marginal one, since OCSP's role is only to mitigate already-done attacks by enabling revocation of TLS certificates. As best we are aware, no one has hacked QQ, nor even cares enough about us to bother trying; thus, disabling OCSP is not really an issue here. (Of course, in the name of caution it should be reenabled if and when it is no longer blocking people from accessing the site.)
 
I had the same error with another site that uses StartCom Ltd. as it CA. I think that the problem is something on the CA's end.
 
As of now, SSLtest shows OCSP working again. Fingers crossed they've gotten their fuckup fixed.
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top