Solved

False Positive SSL “Peer's Certificate Has Been Revoked” on Firefox Only

Posted on 2011-09-11
10
1,391 Views
Last Modified: 2012-05-12
One of my client's is having a problem that is vexing both their system admin and godaddy support, who say that everything is correct and this error should not be happening.  Their SSL certificate is valid and seems to be correctly installed:

http://www.sslshopper.com/ssl-checker.html#hostname=moocho.com

It also works find on IE and Chrome.  However, on firefox users are getting this error (firefox 7 users seem to get the error on every single page load):

 divmn.jpg

Relevant History: Last week (about 7-10 days ago) they were using a different certificate that *was* revoked.  However, they received a new SSL Cert on 9/5 or 9/6, and this is the one that is currently installed.  

I think this might have something to do with the OCSP service that firefox uses to check certificate authenticity.  Could that service have cached data from when the old cert was revoked, and hence still be reporting that moocho.com has a revoked cert?  If so, is there any way to fix this problem?  

If not, what is causing this error?

Thanks!
0
Comment
Question by:Jonah11
  • 5
  • 5
10 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36519497
It only works in IE on this computer (windows XP SP3).  Firefox, Chrome, Safari and Opera all say it has been revoked.  Check to see if the server is only responding to SSL2 for some reason.  Firefox and the others only use SSL3 and TLS1 now although I do have IE set to use SSL3 and TLS1 and not SSL2.

And you checked the wrong name, should have been "moochomoocho.com" though that checks OK too.  http://www.sslshopper.com/ssl-checker.html#hostname=moochomoocho.com
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36519691
Dave,

Tyvm for the response.  You say: " Check to see if the server is only responding to SSL2 for some reason."

How do I perform this check?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36519774
Ignore that, I have IE set for SSL3 and TLS1 also so that isn't it.  It could be something about the OCSP and a delay for the info to propagate.  Seems like everything gets cached these days and I don't how to uncache that one.  The OCSP path in the certificate does lead back to one of two sites on Godaddy.  You can view the details in IE by clicking on the 'lock' in the address bar.
0
 
LVL 7

Author Comment

by:Jonah11
ID: 36520024
Dave,

I see the certificate in ie as you said by clicking on the lock, but what am I supposed to do with that info?

Thanks.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36520117
Ask Godaddy about the two server options there and whether the verification on their OCSP server has been updated for the cert that is not out of date.  I say that because it maybe that IE uses one server and the others use the other server.

Under Encryption in Firefox Options, if you click on Validate, the default option is to use the OCSP server listed in the certificate.  And the Godaddy servers are listed in that Godaddy certificate.  It keeps pointing back to being their problem one way or another.  I couldn't find a method in Chrome.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 7

Author Comment

by:Jonah11
ID: 36520159
Which are the 2 server options you are referring to.  I see this when clicking on the lock:

http://i.imgur.com/fARKs.png

Thanks,
Jonah
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 36520398
You didn't look far enough.  The servers for OCSP are listed like this:
moocho-cert.jpg
0
 
LVL 7

Assisted Solution

by:Jonah11
Jonah11 earned 0 total points
ID: 36544723
Well, finally figured it out.  Turns out we were serving the .ICO url icon from our old server, and that was the cause of the error.  

Thanks for your help Dave
0
 
LVL 7

Author Closing Comment

by:Jonah11
ID: 36565468
Turns out was a stupid error on our part
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 36544793
You're welcome, them little things will get you.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now