FireFox detects Revoked Certificate, IE does not

Question

Our exchange web access is secured by an SSL certificate. When I try to visit the web access in FireFox (v2 and v3.5), I get:

Secure Connection Failed       

An error occurred during a connection to www.example.net.au.

Peer's Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

When I view the site in IE, it loads just fine, without any errors or warnings. When I view the certificate I see that it doesn't expire until 2010 and the certification path goes back to thawte.

I've seen revoked certificates in IE before and it usually flat out denies access to the site. What could cause FireFox to have a hernia about it, but IE does not detect anything wrong?

(Please, no flaming about choice of browser)

Any. I've tried 6,7 and 8 – Mark Henderson Aug 13 '09 at 23:43 — Mark Henderson, Aug 13 '09 at 23:43

score 3 · Answer 1 · answered Aug 13 '09 at 23:42

3

Go to the site, and look at the certificate properties and see if it includes the URL where the CA publices their certificate revocation lists. Retrieve that list and see if the certificate is listed.

What version of IE are you running? In older versions CRLs where not checked, I forget what version Microsoft added CRL support in. I think you can disable CRL checking in IE, which make me wonder if CRL checking is disabled on your system.

answered Aug 13 '09 at 23:42

Zoredache

128,755
40
271
413

Good idea. I found the Thawte CRL list (http://crl.thawte.com/) now I just gotta figure out how to interpret the data! – Mark Henderson Aug 13 '09 at 23:52

score 3 · Answer 2 · answered Aug 14 '09 at 08:31

There are two mechanisms that control certificate validation. CRLs are one way, but OCSP is often more convenient because it can be used in real time. One possible explanation for your Firefox problem is that it had been configured to reject certificates it cannot confirm as non-revoked (whereas IE is not as strict).

I suggest that you check your certificate on the SSL Labs web site -- https://www.ssllabs.com/ssldb/. It should give you more information about your certificate status (in addition to performing a detailed security assessment of your SSL server). If that does not help, feel free to write to me privately (I run SSL Labs, so you'll find my contact details on the Contact page) and I'll help you resolve the matter.

I tried this out today, very useful tool! My question is, under "Revoked" status it says "Unchecked (only trusted certificates are checked)" however next to Trusted it says "Yes", so unfortunately it hasn't given me any more information than I already had! — Mark Henderson, Aug 15 '09 at 23:17

score 2 · Answer 3 · answered Aug 13 '09 at 22:58

2

Well, a "revoked certificate" means that it is on some certificate revocation list (CRL). Maybe FF and IE use different lists?

In Firefox, the revocation lists are configured under Preferences/Advanced/Encryption/Revocation lists. Unfortunately I do not have IE handy here, but I believe CRLs are configured somewhere under security.

In my standard FF install, no revocation lists are configured, so maybe you have a customized install?

answered Aug 13 '09 at 22:58

sleske

9,851
4
33
44

Hmm, same. My revocation list is completely empty... – Mark Henderson Aug 13 '09 at 23:21

score 1 · Accepted Answer · answered Aug 15 '09 at 23:44

1

I found the issue. I don't know why the certificate has been revoked, but it has been added to our local CA and set as trusted. FireFox must not be referencing our local CA for certificates, but IE is.

answered Aug 15 '09 at 23:44

Mark Henderson

68,316
31
175
255

FireFox detects Revoked Certificate, IE does not

4 Answers4