This topic has been closed. No new entries allowed.
You need to be logged in to post in the forums. If you do not have an account, please sign up first.
OCSP trouble, error code 810 (March 31st)Hello all,
Due to the number of threads that contain posts about this problem I decided to put up a master reference for today's incident.
It looks like the Online Certificate Validation (OCSP) service at the Thawte Certificate Authority has encountered a serious problem today (March 31st, 2006). The server itself is up and running, but it is not able to return valid responses for an undetermined number of secure websites.
Thawte and Verisign technicians are hard at work trying to fix the problem.
[Update: 23.00 CET DST. The OCSP service has now been restored by Thawte and Verisign]
Among the sites hit by this problem are (to mention some):
- www.google.com (login to adwords, gmail, etc)
- bugs.opera.com (Opera's own bugtracking system)
What is OCSP?
OCSP is method used to find out if a certificate is still valid, even if, accoding to its expiration date it has not expired. A certificate can be revoked by the issuer if a new certificate is issued, or for example if the issuer is informed that the certificate has been compromised, e.g. the private key is stolen, in which case the thief can use the certificate to impersonate the site, or listen in on all the encrypted traffic to the site that is encrypted for that key.
Performing this check when the certificate issuer offers it means that the client can stop you from going to a site with a possibly stolen certificate, or a site that has managed to get a certificate despite not being entitled to getting (e.g. a phishing site).
Why does not Firefox or MSIE have this problem?
They would have the same problem as Opera IF they had performed the same security check Opera does. They both have the capability, but have not enabled it by default. It is possible for users to enable it in the advanced security preferences of those browsers.
AFAIK, MS Windows Vista will enable OCSP by default.
Why are there so many problems with this?
Active use of OCSP is relatively new, and the CAs have been encountering a number of problem with integrating OCSP with their existing systems resulting in a number of glitches. These glitches has previously only hit very specific categories of certificates, usually only brand new certificates.
Today's event is maybe the second time we have seen a glitch affect possibly the entire list of sites, and the previous case concerned another, smaller CA.
Why does not this affect Opera versions prior to 8.52?
In 8.52 we introduced a stricter handling of OCSP errors, it is currently on the same strictness level as in Firefox. Some 9.0 TP releases also had the same strict handling, but provided a bit more information in the error message.
In more recent 9.0 builds, we have moderated the error handling. Errors that does not mean the certificate was revoked will now only result in a reduction in the security level from 3 to 2 (usually). It is not possible to backmerge these changes to 8.x without serious UI and language code updates.
Can I turn it off?
Yes, although I would not recommend doing that for longer periods.
Add this in your opera6.ini file (while Opera is shut down):
[Security Prefs] OCSP Validate Certificates=0
What does the "810" error code mean?
"810" is in Opera internal extension to the SSL/TLS error codes, used to distiguish specific SSL/TLS errors from the more general ones, while still being able to send the proper error code to the server.
810 is the same as 3*256+42 (Hexadecimal 0x32a).
Code 42 is the SSL/TLS error code for "Bad Certificate", and this is what Opera will send to the server. It is the error code that best fits the situation.
The "3" part just means it is the third special code for this kind of certificate errors that we have have created.
Yngve N. Pettersen
2. April 2006, 00:32:22 (edited)
It does seems like Thawte has taken their OCSP responder completely offline, possibly for maintainace. Not really surprising after Friday's events. I expect it will be back up in a day or two. [Edit: It is back up again.]
That does, however, cause a 15 second delay until Opera's SSL stack decides to give up trying to get an OCSP-response, and then continues the SSL negotiation. After about 25-30 seconds the login page has been loaded.
Yngve N. Pettersen
Originally posted by yngve:
There has been known problems with the Online Certificate validation (OCSP) systems of both Starfield (safe-mail's CA) and Thawte in recent weeks. E-gold is using Verisign as their CA, where we have not heard about any problems recently.The Starfield problem I have been told was a temporary problem, and should no longer be present.
OCSP problems are still present and present. OCSP strike again March 31st, 2006. Even advanced users are frustrated. Do you think about innocent lamers? Yngve maybe it's time to add a button managing security options (like IE - with predefined levels of security - always accessable and simple in use for everybody. Today it is posible by complicated procedures.
Originally posted by yngve:
ahristov: On which sites?
As I said above, 9.0 TP now only downgrades the security level in case of an OCSP failure. But: If a certificate has been revoked, both Opera 8 and 9 will (and must) refuse to access the site.
I've used Opera 8.52 for all my "secure" browsing. Now I had to switched to 9.0 TP, and it's fine with me. BUT is this "security downgrade" when encountering problem making Opera still as secure as I thought it is? And is using Opera 9.0 TP (wich makes me some trubles using a bank account, a JScript problem*) more secure than switching "OCSP Validate Certificates=0"? What should I choose to browse secure, and not ecountering JScript problems?
*I don't mean JS in Opera is screwed, I only mean my bank site is probably screwed
OCSP Validate Certificates=0
This worked for me.
But some comments
It is only this week (May 2) that I could not log into https servers
The servers were major companies
I use Win 98 (SE) and Opera 8.53
I'm inclined to think something else is at work here (some setting inadvertently changed) since I didn't have this problem earlier.
But if this is a OCSP problem there needs to be an easier way to turn it off and Opera should highlight the problem in its HTTP error 810 page explanation.
Are you familiar with beta v 9.0 ? I downloaded 9.0 prepared to install it over 8.54. The install screen gives you the option to "Upgrade" or "Separate Install". I wanted to "upgrade" (over 8.54 I assume) but Opera points me to a new directory - not where my 8.54 is currently installed - and DOES NOT give me the opportunity to change/correct the directory name. I didn't stick arount long enough to figure out the difference between the two options. I'm not savy enough about Opera to start fooling around with Opera installations.
I did bring back 8.52 but, as you said, it didn't affect my security error problem. <sigh> IE ?? No way! Will try Firefox.
Originally posted by glandau:
I downloaded 9.0 prepared to install it over 8.54.
Opera 9 is a beta version and beta versions should not be installed over existing installations as that will just cause more problems.
Make a clean install of Opera 9 and import your settings afterwarads
11. May 2006, 10:52:40 (edited)
OK - for the last 2 days I've been getting the dreaded 810 error when logging into hotmail and also when trying to buy tickets from Ryanair.co.uk.These sites worked perfectly before - and they work fine with IE.
I tried adding "OCSP Validate Certificates=0" to "profile/opera6.ini" and restarted - but it made no difference.
I'm running Opera 8.52. Any suggestions please? Thanks for your help.
EDIT: Opps: I missed the [Security Prefs] line - now it works OK - thanks!!!
PS. This is a major problem for novice users like me - you might want to come up with an easier fix