[tor-talk] Let's Encrypt Certificate Upgrade Blocks Tor. MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

[Drew at FoundingDocuments.org]

> Old Subject Line: 
> Re: [tor-talk] Let's Encrypt Certificate Upgrade Blocks Tor. MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
> 
> New: 
> Re: [tor-talk] Tor (Firefox) Blocked by GoDaddy Lack of OCSP Response.

You may laugh now. :-)

$ openssl s_client -connect FoundingDocuments.org:443 -servername FoundingDocuments.org -tlsextdebug -status

In reading the output from the above command, there is an “OCSP response: no response sent” line which is probably raising the error in Firefox.  There ought to be a short chunk of text here, the response. It seems Safari and Chrome somehow deal with this omission. Firefox and Tor Browser don’t like it. 

The GD host doesn’t offer this to me although it’s been available in Apache for many versions, and they won’t let me turn it on; oh well. I hope it’s no great loss. 

Anyway, it looks like the best thing for protecting surfers who might be man-in-the-middled is cerbot’s  --hsts option to “[] Defend against SSL Stripping.” Hopefully this proves useful to someone searching around in the future.  (It’s not clear to me why having this feature off is the default. And my guess is with https .onion addresses, as long as one is using Tor Browser—versus Tor as a LAN proxy for example—one doesn’t have to worry about SSL stripping since the entirety of the traffic is in the Tor cloud and not proxied.)

And of course I look forward to the day when LE issues Domain Validation certificates for .onion addresses. I think this may mean a 3rd kind of onion icon in the address bar.