1. Due to issues with external spam filters, QQ is currently unable to send any mail to Microsoft E-mail addresses. This includes any account at live.com, hotmail.com or msn.com. Signing up to the forum with one of these addresses will result in your verification E-mail never arriving. For best results, please use a different E-mail provider for your QQ address.
    Dismiss Notice
  2. For prospective new members, a word of warning: don't use common names like Dennis, Simon, or Kenny if you decide to create an account. Spammers have used them all before you and gotten those names flagged in the anti-spam databases. Your account registration will be rejected because of it.
    Dismiss Notice
  3. Since it has happened MULTIPLE times now, I want to be very clear about this. You do not get to abandon an account and create a new one. You do not get to pass an account to someone else and create a new one. If you do so anyway, you will be banned for creating sockpuppets.
    Dismiss Notice
  4. If you wish to change your username, please ask via conversation to tehelgee instead of asking via my profile. I'd like to not clutter it up with such requests.
    Dismiss Notice
  5. Due to the actions of particularly persistent spammers and trolls, we will be banning disposable email addresses from today onward.
    Dismiss Notice
  6. A note about the current Ukraine situation: Discussion of it is still prohibited as per Rule 8
    Dismiss Notice
  7. The rules regarding NSFW links have been updated. See here for details.
    Dismiss Notice
  8. The testbed for the QQ XF2 transition is now publicly available. Please see more information here.
    Dismiss Notice
Mail delivery issues Usernames Rule 4 Clarification Username Change Requests Disposable Email Addresses Ukraine Rule update XF2 testbed available

HTTPS Error: sec_error_ocsp_try_server_later

Discussion in 'Suggestions & Bugs' started by macdjord, Mar 10, 2015.

  1. macdjord

    macdjord Well worn.

    Joined:
    Feb 20, 2013
    Messages:
    8,833
    Likes Received:
    36,811
    Every time I try to access any QQ page over HTTPS, I get:
     
    macdjord, Mar 10, 2015
    #1
    Ddmkm122 likes this.
  2. tehelgee

    tehelgee The stern gaze of justice. Administrator

    Joined:
    Feb 12, 2013
    Messages:
    2,910
    Likes Received:
    12,707
    tehelgee, Mar 10, 2015
    #2
    Ddmkm122 likes this.
  3. macdjord

    macdjord Well worn.

    Joined:
    Feb 20, 2013
    Messages:
    8,833
    Likes Received:
    36,811
    Okay, the workaround works, but I'm not particularly comfortable disabling a global security option just to fix one site. I assume some permanent fix is in the works?
     
    macdjord, Mar 10, 2015
    #3
    Ddmkm122 likes this.
  4. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,611
    Likes Received:
    53,717
    This should now be fixed on the server-side (though just via disabling OCSP stapling there).

    OCSP stapling isn't even really a "security" option; it's a "performance" option. The alternative is for the browser to do its own OCSP requests, which it may well ignore (if e.g. it gets even that same tryLater code as was stapled here). I'm really not sure what the notional security gain is, given that constraint. But eh.
     
    alethiophile, Mar 15, 2015
    #4
    Ddmkm122 likes this.
  5. subsider34

    subsider34 Versed in the lewd.

    Joined:
    Jun 29, 2014
    Messages:
    1,749
    Likes Received:
    1,131
    Hi,

    I never experienced this issue before, but today I started getting the OCSP issue reported by the OP. I had to disable querying OCSP responder services just to post this message. Did the fix get reverted or something?
     
    subsider34, Apr 5, 2015
    #5
    Ddmkm122 likes this.
  6. powerofvoid

    powerofvoid Versed in the lewd.

    Joined:
    Aug 3, 2014
    Messages:
    1,671
    Likes Received:
    4,726
    Experiencing a similar problem on Firefox, but not Chromium:
     
    powerofvoid, Apr 5, 2015
    #6
    Ddmkm122 likes this.
  7. subsider34

    subsider34 Versed in the lewd.

    Joined:
    Jun 29, 2014
    Messages:
    1,749
    Likes Received:
    1,131
    Interesting. I just tried QQ on IE and it works on that as well. Looks like this might be a Firefox specific problem. How annoying.
     
    subsider34, Apr 5, 2015
    #7
    Ddmkm122 likes this.
  8. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,611
    Likes Received:
    53,717
    Fundamentally, OCSP errors are not really addressable by QQ as a software suite or as a server. The OCSP protocol is used to check the validity of certificates at run-time, and it's purely between the user's browser and the CA; our server never gets involved. Thus, there's little we can do about many of them.

    The earlier error was due to OCSP stapling, a server feature which routes OCSP requests through the QQ server. As best I can tell, this remains disabled even on the new hosting. And in fact, disabling it was only ever a patch fix; the fundamental issue — which was with the CA's OCSP servers — remained. Turning off stapling just made the browser ignore it again.

    If this goes on for too long, we can try to contact the CA and get them to look into fixing it. However, that's an inherently unreliable process. Users affected should probably just disable OCSP until the problem goes away; this is notionally a security flaw, but only a marginal one, since OCSP's role is only to mitigate already-done attacks by enabling revocation of TLS certificates. As best we are aware, no one has hacked QQ, nor even cares enough about us to bother trying; thus, disabling OCSP is not really an issue here. (Of course, in the name of caution it should be reenabled if and when it is no longer blocking people from accessing the site.)
     
    alethiophile, Apr 5, 2015
    #8
    Ddmkm122 likes this.
  9. Chase92

    Chase92 Know what you're doing yet?

    Joined:
    Oct 11, 2014
    Messages:
    246
    Likes Received:
    130
    I had the same error with another site that uses StartCom Ltd. as it CA. I think that the problem is something on the CA's end.
     
    Chase92, Apr 5, 2015
    #9
    Ddmkm122 and subsider34 like this.
  10. nick012000

    nick012000 Gone for Good

    Joined:
    Feb 26, 2013
    Messages:
    4,553
    Likes Received:
    12,699
    nick012000, Apr 5, 2015
    #10
    Ddmkm122 likes this.
  11. tehelgee

    tehelgee The stern gaze of justice. Administrator

    Joined:
    Feb 12, 2013
    Messages:
    2,910
    Likes Received:
    12,707
    It's not us or HTTPS that's broken, it's Firefox's OCSP stapling and the CA's shittiness.

    It was free, and you get what you pay for, I guess.
     
    tehelgee, Apr 5, 2015
    #11
    Ddmkm122 likes this.
  12. powerofvoid

    powerofvoid Versed in the lewd.

    Joined:
    Aug 3, 2014
    Messages:
    1,671
    Likes Received:
    4,726
    Whatever it was went away. I'm not sure if it's the fact that I'm using a different Internet connection or what.
     
    powerofvoid, Apr 5, 2015
    #12
    Ddmkm122 and subsider34 like this.
  13. Adyen

    Adyen Experienced.

    Joined:
    Jan 30, 2014
    Messages:
    3,945
    Likes Received:
    3,140
    It's not. I tried connecting at home and at work, but the same problem showed up. It just cleared up in the last 2-3 hours.
     
    Adyen, Apr 5, 2015
    #13
    Ddmkm122, subsider34 and powerofvoid like this.
  14. alethiophile

    alethiophile Shadowed Philosopher Administrator

    Joined:
    Apr 26, 2013
    Messages:
    7,611
    Likes Received:
    53,717
    As of now, SSLtest shows OCSP working again. Fingers crossed they've gotten their fuckup fixed.
     
    alethiophile, Apr 6, 2015
    #14
    Ddmkm122 likes this.