BenV's notes

I had a few people complain about their favorite browser showing an error such as:
“Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)”

Or maybe like this:

Secure Connection Failed

An error occurred during a connection to notes.benv.junerules.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

This was when they were going to a website that I host on my apache server that also serves this blog.
Knowing that my apache configuration is near perfect (*cough*) – at least, ssllabs.com gives this server at least an A rating – I wondered what was up with Firefox now.
At least, when testing the site in Google Chrome it worked fine.

Turns out that someone did the work for me:
Hanno Böck wrote a detailed post about the issue. Thanks Hanno, time to tweak some apache configuration and hope that Firefox steps up their game.
Thanks Hanno! 🙂

Last week I upgraded our fileserver at work from Debian Lenny to Debian Squeeze.
Obviously a ton of stuff got ‘new’ (read: less ancient) versions, including Apache.
Apart from a reboot or two for new kernels and some config fixes everything went pretty smooth.

This week lotjuh ran into the problem that she couldn’t push to the mercurial repository from windows.
Strange, because everything worked fine from linux. Tested from both the windows 2008 server we have here and another windows 7 machine at home, the both broke with the same cryptic message:

c:\tmp> hg clone --insecure https://fileserver/repository
abort: error: _ssl.c:1325: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Huh. That’s weird.
Obviously google doesn’t help with this, you get some garbage results on how mercurial didn’t do jack with https certificates before version 1.7 and their struggle to implement it.

After some digging I found this in the apache logs:

[Thu Feb 17 12:10:51 2011] [error] [client 192.168.123.321] Re-negotiation request failed
[Thu Feb 17 12:10:51 2011] [error] SSL Library Error: 336068931 error:14080143:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled

Feh. Somewhere old SSL libraries are being used! Windows… .always the same.

Solution:
In your apache ssl configuration (mods-enabeld/ssl.conf on Debian), add this:

SSLInsecureRenegotiation on

Note that this obviously isn’t a great solution, but it’s the only way to get it to work on windows at the moment.