Posts Tagged ‘crls’

Getting around “Secure Connection Failed Peer’s, Certificate has been revoked., (Error code: sec_error_revoked_certificate)

Friday, April 8th, 2011

Certificate has been revoked, sec_error_revoked_certificate screenshot

One of the SSL secured websites (https://) which I have recently accessed couldn’t be opened with an error message showing up:

Secure Connection Failed

An error occurred during a connection to www.domain.com.

Peer’s Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

That error catched my attention so I digged further in what the message means. Here is what I found as an explanation to what is certificate revocation online

What is a SSL Certificate revocation

Revocation of a certificate means that the Certificate Authority (CA) that issuer of the certificate for a website have decided that the certificate is no longer valid, even if it has not expired.

The information about revocation can be distributed in two ways: Certificate Revocation Lists (CRLs), or by using the Online Certificate Status Protocol (OCSP).

CRLs are (usually) large files that contain a list with information about all the currentely active (unexpired) certificates that are no longer valid. This file has to be downloaded from the CA by the client at regular intervals (usually at least a week apart), and may be quite large.

OCSP, on the other hand, means that the client asks the CA “Is this particular certificate still valid?”, and the server responds “Yes” or “No”. This method can usually be fairly well up to date, meaning the information is at most a few days old, as opposed to at least a week for CRLs.

All the major browsers support OCSP, but some (like Opera) does not currently support CRLs.

By this time most of the modern browsers (Firefox, Chrome, Opera and Internet explorer does support revocation lists and all of the aforementioned hsa enabled at least OCSP by default.

Why SSL revocation error might occur:

A CA can revoke a certificate due to a number of reasons:

– A new certificate has been issued to the website, meaning the old one is not going to be used anymore.
– The website with the certificate is being used for purposes that are not accepted by the CA.
– The certificate was issued based on incorrect information.
– The owner is no longer able to use the private key associated with the certificate, for example the password is lost, the key storage was destroyed somehow, etc.
– The private key has been compromised or stolen, which means traffic to the site is no longer secure.
– The certificate and key have been stolen and is actually being used for fraud while posing as a legitimate website …

Now after all above being said the error:

Secure Connection Failed Peer's, Certificate has been revoked., (Error code: sec_error_revoked_certificate)

is a sure indicator that the website which had the certificate problem as a one you could not trust to make money transactions or do any operation that has a direct relation to your personal private date.

However as there are still websites which use an SSL encryption and are entertainment websites or just a news websites, sometimes getting around the ssl revocation issue to check this website is a necessity.

Therefore to enable your Firefox 3.5 / Iceweasel browser with a website which has ssl certificate revocation issue you need to do the following:

Edit -> Preferences -> Advanced -> Encryption -> Validation

After you see the Certificate Validation screen remove the tick set on:

Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates

Now refresh the website and you will skip the certificate revocation issue error and the webpage will open up.
Note that even though this will work, it’s not recommended to use this work around!