Error trying to access DFAF in Firefox

[Anemone]

Earlier tonight I was trying to connect to DFAF in Firefox and kept getting this error:

I tried completely clearing my cache and restarting the browser, but I kept getting this error. Switching to Chrome allowed me to access the forum just fine.

Any internet savvy folks have any ideas?

[Spaff]

I'd be interested in hearing from some techy folks too - in the mean time I'll reach out to ipboard support

[Anemone]

If it's any help, I did try to connect via firefox again about two hours later and it worked just fine. Not sure what the initial issue was, though.

[flesk]

I'm not an expert on OCSP, but to me it looks like Firefox had trouble connecting to the certificate authority's servers, and not this site, though that lead to it not being able to verify the authenticity of the certificate used here. Browsers cache certificates, so that's one reason why it might be working in one browser but not another. If it's still an issue, you could try to follow the instructions here to refresh Firefox:

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

[Anemone]

6 hours ago, flesk said:

I'm not an expert on OCSP, but to me it looks like Firefox had trouble connecting to the certificate authority's servers, and not this site, though that lead to it not being able to verify the authenticity of the certificate used here. Browsers cache certificates, so that's one reason why it might be working in one browser but not another. If it's still an issue, you could try to follow the instructions here to refresh Firefox:

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

It's working now. Whatever the issue was went away on its own after about two hours. I had tried trying clearing the cache, cookies, temp data, etc etc and that didn't work. I wouldn't want to refresh firefox just to solve it since that would remove all of my add-ons and such. If it happens again, I'll just switch browsers until it blows over, but just reporting it b/c it seemed like a weird thing to happen. I was talking to a few other DFAFers at the time about it and nobody else was having the problem, so it was probably local to my browser somehow. It's just not a browser problem I've encountered before.

Edited September 30, 2016 by AnAnemoneInAnonymity

[Cengared]

I've been getting this issue all day with Firefox. On Chrome now, and it's working fine there.

[Feddlefew]

This is the first time I've been able to get on today. I've been trying periodically since 10:30am eastern US time.

[flesk]

I was having problems connecting last night too, but not because of the issue mentioned in the first post. The server was just taking ages to respond and often timed out. Not sure what the reason was. 

[Cengared]

Just to mention that this site is working through Firefox again for me.

[Feddlefew]

I'm having intermittent site issues again.

[Anemone]

Just experienced this issue again. Once again works fine in chrome.

[Cengared]

Same here. Done a little bit of research into it and it seems to have something to do with Firefox's OCSP related feature. I don't fully understand it myself but here's what I got from a Mozilla support page (https://support.mozilla.org/en-US/questions/1120024):

Quote

 

There is something wrong with the server's configuration. If you disable one of Firefox's OCSP-related features, you can access the page.

OCSP is a method to check whether a certificate has been revoked after issuance and before the certificate's normal expiration -- certificates are sometimes issued by mistake. In addition to the traditional method of reading the certificate and sending a request to the issuer, Firefox supports a method called "stapling" which allows the server to send a confirmation of validity itself. This saves a little time in checking the certificate because Firefox doesn't have to check with the issuer. But some sites do not work with stapling on due to a server configuration error.

As a temporary workaround, you can set Firefox not to use stapling:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_stapling preference to switch it from true to false

You will need to reload the problem page (possibly bypassing the cache using Ctrl+Shift+r).

If you don't need to visit this site often, I suggest switching stapling back after this visit.

If you prefer to keep stapling enabled, you can visit the site in Google Chrome. Chrome doesn't do OCSP checks.

 

 

[shae]

Same problem. Both in Opera and FF (both old versions). Works in Chrome and IE. I disabled OCSP validation in Opera to make it work.

Maybe add an option to avoid HTTPS in the forums? I know it's the trendy thing to do, but often it's trouble for nothing. I couldn't care less about someone tapping my forum connection.

 

Edited November 11, 2016 by shae

[Anemone]

8 hours ago, shae said:

Same problem. Both in Opera and FF (both old versions). Works in Chrome and IE. I disabled OCSP validation in Opera to make it work.

Maybe add an option to avoid HTTPS in the forums? I know it's the trendy thing to do, but often it's trouble for nothing. I couldn't care less about someone tapping my forum connection.

 

Initially this version of the forum didn't have HTTPS and then some users were giving DF flack about it.

[nmalinoski]

21 hours ago, shae said:

Maybe add an option to avoid HTTPS in the forums? I know it's the trendy thing to do, but often it's trouble for nothing. I couldn't care less about someone tapping my forum connection.

HTTPS isn't trendy; is a necessity. It's intended to protect data in transit from eavesdropping and manipulation. You may not care if your account credentials are flung across the internet in plain text, or if middlemen can see everything you're requesting and receiving; but some people need [or at least want] that privacy, and the rest of us will certainly care if someone eavesdropping on your connection gets your credentials and starts spamming the forums.

The access problem people are experiencing might be caused by time skew between the clients and the server, or the certificate authority is unreliable, or OCSP is misconfigured on the web server. Personally, I haven't hit the OCSP error in my browser since it was first reported.

[shae]

I suggest an additional HTTPS-less login page, then a user setting to choose between with or without.

Although I don't see a point in having HTTPS when reading the forums (even if you're not logged in), for that I suggest an override link at the bottom of the page, or something, that stores the setting as a cookie. 

It is trendy because it's starting to invade the whole of the web including read-only or account-less pages.


 

 

Edited November 12, 2016 by shae