SixXS::Sunset 2017-06-06

Ticket ID: SIXXS #10541354
Ticket Status: Resolved

PoP: (not applicable)

sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[de] Shadow Hawkins on Friday, 22 November 2013 22:28:42
... only happens with Firefox, other browsers (IE, Chrome, Opera) work. Analysis via packet trace reveals, that during SSL handshake two certificates for www.sixxs.net are transmitted: one with serial number 60129 and validity from 04.01.2012 to 03.01.2014 and an old one with serial number 39969 and validity from 26.01.2010 to 26.01.2012. This second certificate seems to produce the error in Firefox, while other browsers are happy with the first one. A workaround (disabling certificate Validation via OCSP) is described here: http://nigelball.org/2010/01/28/firefox-sec_error_revoked_certificate-issue
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[ch] Jeroen Massar SixXS Staff on Friday, 22 November 2013 23:31:37
The old certificate is not there anymore and thus should not interfer. As such you should now get:
$ echo | openssl s_client -connect www.sixxs.net:443 2>/dev/null | openssl x509 -noout -dates notBefore=Jan 4 17:14:03 2012 GMT notAfter=Jan 3 17:14:03 2014 GMT
Apparently though that serial number has been revoked for whatever reason:
$ openssl ocsp -issuer class3-cacert.cert -serial 0xeae1 -host ocsp.cacert.org:80 -CAfile class3-cacert.cert Response verify OK 0xeae1: revoked This Update: Nov 22 23:08:47 2013 GMT Next Update: Nov 24 23:22:08 2013 GMT Revocation Time: Nov 21 20:31:50 2013 GMT
hence also why disabling the OCSP check makes things work. We currently have the following certs:
Serial Number: 60130 (0xeae2) Serial Number: 60128 (0xeae0) Serial Number: 60127 (0xeadf) Serial Number: 60129 (0xeae1)
Seems that only the www.sixxs.net one is revoked...
Response verify OK 0xeae2: good This Update: Nov 22 23:15:21 2013 GMT Next Update: Nov 24 23:27:43 2013 GMT Response verify OK 0xeae0: good This Update: Nov 22 23:15:21 2013 GMT Next Update: Nov 24 23:27:43 2013 GMT Response verify OK 0xeadf: good This Update: Nov 22 23:15:21 2013 GMT Next Update: Nov 24 23:27:43 2013 GMT Response verify OK 0xeae1: revoked This Update: Nov 22 23:15:21 2013 GMT Next Update: Nov 24 23:27:43 2013 GMT Revocation Time: Nov 21 20:31:50 2013 GMT
We are looking into it what is really wrong here though.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[ch] Jeroen Massar SixXS Staff on Saturday, 23 November 2013 11:27:55
We are awaiting a new certificate to be issued, that will resolve this problem.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[ch] Jeroen Massar SixXS Staff on Saturday, 23 November 2013 20:32:39
New certificate installed, which should fix this issue and avoid having a need to install the CAcert certificate for www.sixxs.net and *.sixxs.net; though as wildcards do not match www.ipv6.sixxs.net you will still find the CAcert certificates for those variants of hosts. Note that: http://www.sixxs.net (dual stack) http://ipv6.sixxs.net (IPv6 only) http://ipv4.sixxs.net (IPv4 only) Can all be used to access the SixXS website.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[de] Shadow Hawkins on Saturday, 23 November 2013 23:29:49
In order to make it work, I had to install an intermediate certificate "Gandi Standard SSL CA" from http://crt.gandi.net/GandiStandardSSLCA.crt which was not available in my Firefox certificate store.
sec_error_revoked_certificate when visiting https://www.sixxs.net using Firefox
[ch] Jeroen Massar SixXS Staff on Sunday, 24 November 2013 03:17:11
You don't need to do that manually. This Intermediate is now provided by our server. See also the news article for other changes that where made.

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker