You need to be logged in to post in the forums. If you do not have an account, please sign up first.
www.dijnet.hu shown as unencrypted and unsecure - OCSP errorHello,
Opera seems to have a problem with https://www.dijnet.hu website. The globe icon stays grey, clicking on it says "Unencrypted connection", clicking on Details shows "Site not secure... snip ... Unable to verify the website's identity (OCSP error)" message. This happens with Opera 11.64 on all platforms (tested on several different computers with different operating systems).
I've installed all of the Netlock certificates and other sites using those certificates work fine. Only Dijnet has problem in Opera. Firefox and Chrome has no problems with this site, shows it as secure, even though I didn't install the Netlock certificates in those browsers(*). What's the problem in Opera? This site is to get electronic, digitally signed invoices from all kind of providers (ISP, electricity, water, etc, providers), showing it as insecure makes the user raise eyebrows.
(*) by the way, is there a way to include Netlock's certificates in Opera? They are quasi national certifier company in Hungary, the majority of websites and almost all government websites use their certificates. Opera shows all of these as unsecure (until one manually imports all of the certificates) because Netlock certifier is unknown to it. Firefox and Chrome has no problems tracking back all of the certificates and validate everything and shows those sites as secure by default. You can guess which is more likely for a simple user: install all of the Netlock certificates or just switch to a browser that doesn't show false warnings.
Regarding the OCSP failure, there are two possibilities: 1) Netlock's OCSP responder is down, 2) It does not accept HTTP GET requests (which it is required to by the standards).
If this is a new occurrence, or as you say, a single site,then it is most likely #1, which can happen occasionally, in which case Opera does not try again for 24 hours, unless you restart Opera. #2 require fixing the responder by the CA; #1 might also require action by the CA.
Yngve N. Pettersen
Originally posted by yngve:
It looks like it is a OCSP-responder side problem, the reponder replies with the response code "malformed request". This have to be fixed on the CA's responder (by Netlock).
Can you (Opera) discuss it with them? I have practically zero knowledge in this area, so surely you can tell them what's wrong and how it should work much better than me
It is a permanent issue and only with this site. Other sites also certified by Netlock (e.g. www.tavszamla.hu, bet.szerencsejatek.hu, T-Mobile HU's webshop, etc) work fine and displayed as secure in Opera. Maybe only Dijnet's certificate (or rather the "OCSP-responder" it's using) is different and that's why only this site has issue?
Do other browsers use different method for the certificate check or why only Opera has problem with the OCSP for this site?
Opera only uses HTTP GET for OCSP, and it reports any failure to get a valid result (blocking or reporting a failure is a possible way to get a client to permit use of a certificate that has been revoked), which several other browsers doesn't (that is, Opera is stricter). I notice that MSIE fell back to using the POST method (which apparently worked), but we have not coded Opera to do that.
Yngve N. Pettersen