2015-04-04 SSL OCSP failures


All SSL access to hosted websites is currently broken using Firefox and Safari. The problem is that OCSP lookups are failing due to a misconfiguration by StartSSL, the certificate authority providing our SSL certificates. Other browsers are not affected because they have not implemented OSCP lookups. A temporary work-around is to disable the checks. In Firefox:

  1. Enter about:config into the Firefox address bar
  2. Accept the warning
  3. Search for security.ssl.enable_ocsp_stapling
  4. Double-click to change to false

StartSSL does not seem to have any blog or social media presence to indicate status on the outage, but a Twitter search yields a steady stream of corroborations. Hopefully they’ll fix it soon.

UPDATE 2015-04-05 11:45 pm: OCSP is working properly again as of a couple hours ago. Outage/technical problems on StartSSL’s part.

UPDATE 2016-11-26: OCSP responses have had bad signatures for the past two days. I believe this is once again an issue on the StartSSL side. Can be worked around the same way.