User.js: Something strange about security.OCSP.require = true

@crssi

First, I would like to humbly apologize to @Thorin-Oakenpants, @earthlng and other parties to hijack the other thread. It just happened with a "natural" (wrong) flow instead of opening a new debate and we got carried away.

yep

I am on Windows OS, but are you, @StanGets and @bogachenko, on some linux-like OS?

no. i am on shitty-windows10

and look. on my virtual machine (on linux mint.. Same as ubuntu) also does not open

Does anyone have any additional page as a sample, where the breakage occures?

strictly speaking, my "true" even google.com doesn't open.. not to mention your site. lol. I'm done

Can you try with a clean profile + security.OCSP.require = true?

Well, that's exactly why we enable that pref so that you know when something is wrong.

There are various reasons why the connection can fail: OCSP server is temporarily down/unreachable (=most common reason), different routing for different countries and 1 server is down while others still work, DNS changed and your DNS cache is outdated, something is blocking HTTP connections on the users end, someone is blocking connection to the server somewhere in the middle (VPN, MitM, etc), etc.

The OCSP server name for that URL is http://ocsp.comodoca.com. Can you ping ocsp.comodoca.com? What does it resolve to? If you can't reach it, try trace route and see how far it goes and then you'll know where the problem lies.

I've only had problems with that pref maybe 2 or 3 times, once was over Tor and that was likely indicating the the Tor nodes I was using were trying to do something malicious. The other 1 or 2 times were temporary issues and the sites worked again when I refreshed it a couple minutes later.

@earthlng so I can not open any sites at all with the included fuck

OCSP server is temporarily down/unreachable

hm

@crssi cleared, (I will not throw a screen) does not work, although earlier everything was fixed by deleting the cert9.db file/
at least I thought so. I deleted this file = cleared certificates = the site opens, but now it does not work, apparently my conclusion is wrong

Thank you @earthlng, the same thing went trough my head... but before that I wanted to see if there is some other underlying problem. Apparently not. Some conspiracy theory (or without theory) in their countries.
I never had this problem here... not a single case.

@crssi where are you from (if it's not a secret)?

Nah... its not a secret. If someone would go digging, it would found out anyway.

@crssi OK, understand. well, probably I have is down OCSP Server, for my county or something like. as the earth said

someone is blocking connection to the server somewhere in the middle (VPN, MitM, etc), etc.

lol, if you install a proxy, everything works (set proxy for italy). haahahaha

@bogachenko open a terminal and try these commands:

ping ocsp.comodoca.com - this probably doesn't work for you
tracert ocsp.comodoca.com - see which one is the last IP that can be traced. Then lookup that IP address to the matching company and that's where your problem is

ipconfig /flushdns and then try the 2 above commands again and see if it works now

^^ that will let us know whether your problem is with your system+OCSP in general or just with your Firefox setup

@earthlng I installed a proxy another country, the site has opened with the value of "true". when I remove it, an error appears

@earthlng

by the way are you sure of tracert ocsp.comodoca.com
isn't traceroute ocsp.comodoca.com?

in linux ~mint~ it traceroute, no?

If flushing your DNS cache doesn't help then it's either a server problem or something between you and that server. Then you can either wait and hope it will get fixed soon, disable the pref if you urgently want to access that site, use a proxy or Tor, or if it's just a site you want to read like fe a blogpost or article, you can let https://archive.is/ create an archive of that URL and read it that way.

In Win7 it's tracert, don't know if that changed in Win10

@earthlng

If flushing your DNS cache doesn't help then it's either a server problem or something between you and that server. Then you can either wait and hope it will get fixed soon, disable the pref if you urgently want to access that site, use a proxy or Tor, or if it's just a site you want to read like fe a blogpost or article, you can let https://archive.is/ create an archive of that URL and read it that way.

hemorrhoids. everything works fine through a proxy

In Win7 it's tracert, don't know if that changed in Win10

So this is for shitty windows, fuck. you just say - open the terminal, and there is no terminal in the windows, there is a command line. and I thought it was for linux

you said you're using Win10 so I gave you the Windows commands

@crssi if someone had to apologize for yesterday's 'thread hijacking' it should be me, not you: I was the one who initialized this security.OCSP.require debate by submitting the problematic link, having totally forgotten that it wasn't the right thread.

Concerning the environment : mine is Firefox 65.0 64-BIT / Windows 7 64-BIT

But reading @earthlng comment above,

The OCSP server name for that URL is http://ocsp.comodoca.com.

I realized I had comodoca somewhere in a blacklist. Indeed I had 0.0.0.0 >comodoca.* in a personal (not downloaded hosts) Acrylic blocklist. This was an old entry and I just can't remember why I had included it.

Now all is OK, I've just opened https://www.getclone.app/ with my security.OCSP.require set to true.

P.S. I just pinged successfully ocsp.comodoca.com (with dedicated _TCP Monitor Plus_ application) which resolved to 2.22.22.129

Did you all get that out of your system, and realize that the protocol is fine, the differences are from caching and networking

Read earthling first post - there are so many other factors and fingers in the chain

@crssi @bogachenko @StanGets can you please delete your own offtopic comments in #610 ? Thanks

@earthlng deleted

can you please delete your own offtopic comments in #610 ? Thanks

Done.