[tor-bugs] #3754 [TorBrowserButton]: SafeCache implementation breaks OCSP validation

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Aug 18 07:37:38 UTC 2011

#3754: SafeCache implementation breaks OCSP validation
 Reporter:  gk                |          Owner:  mikeperry     
     Type:  defect            |         Status:  new           
 Priority:  major             |      Milestone:                
Component:  TorBrowserButton  |        Version:  Torbutton: 1.4
 Keywords:                    |         Parent:                
   Points:                    |   Actualpoints:                
 If one configures Firefox to fail hard if there occurs an error while
 validating certificates using OCSP the SafeCache implementation leads to
 failures that do not exist without it. Steps to reproduce:

 1) Configure Firefox properly (check "Use the Online Certificate Status
 Protocol (OCSP) to confirm the current validity of certificates"; Use
 "Validate all certificates using the following OCSP Server" and take the
 first one (in my case: https://rca.e-szigno.hu/ocsp); check "When an OCSP
 connection fails, treat the certificate as invalid"

 2) Restart Firefox and surf to e.g. https://anonymous-proxy-
 servers.net/forum/ if that does not already break the validation then open
 in a second tab https://ssl.scoogle.org and it breaks always.

 3) Do the same without Torbutton installed and it works fine.

 The problematic code is (for whatever reason, I am currently debugging it
 as JonDoFox is affected as well):

 if(!this.readCacheKey(channel.cacheKey)) {
         this.setCacheKey(channel, channel.URI.host);
       } else {
         SSC_dump("Existing cache key detected; leaving it unchanged.");

 If you comment that code everything works fine in Torbutton again.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3754>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list