Getting around "Secure Connection Failed Peer's,
Certificate has been revoked., (Error code:
sec_error_revoked_certificate)
with Firefox
One of the SSL secured websites (https://) which I have recently
accessed couldn't be opened with an error message showing up:
Secure Connection Failed
An error occurred during a connection to www.domain.com.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
* The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this
problem. Alternatively, use the command found in the help menu to
report this broken site.
That error catched my attention so I digged further in what the
message means. Here is what I found as an explanation to
what is
certificate revocation online
What is a SSL Certificate revocation
Revocation of a certificate means that the Certificate Authority
(CA) that issuer of the certificate for a website have decided that
the certificate is no longer valid, even if it has not
expired.
The information about revocation can be distributed in two ways:
Certificate Revocation Lists (CRLs), or by using the Online
Certificate Status Protocol (OCSP).
CRLs are (usually) large files that contain a list with information
about all the currentely active (unexpired) certificates that are
no longer valid. This file has to be downloaded from the CA by the
client at regular intervals (usually at least a week apart), and
may be quite large.
OCSP, on the other hand, means that the client asks the CA "Is this
particular certificate still valid?", and the server responds "Yes"
or "No". This method can usually be fairly well up to date, meaning
the information is at most a few days old, as opposed to at least a
week for CRLs.
All the major browsers support OCSP, but some (like Opera) does not
currently support CRLs.
By this time most of the modern browsers (Firefox, Chrome, Opera
and Internet explorer does support revocation lists and all of the
aforementioned hsa enabled at least OCSP by default.
Why SSL revocation error might occur:
A CA can revoke a certificate due to a number of reasons:
- A new certificate has been issued to the website, meaning the old
one is not going to be used anymore.
- The website with the certificate is being used for purposes that
are not accepted by the CA.
- The certificate was issued based on incorrect information.
- The owner is no longer able to use the private key associated
with the certificate, for example the password is lost, the key
storage was destroyed somehow, etc.
- The private key has been compromised or stolen, which means
traffic to the site is no longer secure.
- The certificate and key have been stolen and is actually being
used for fraud while posing as a legitimate website ...
Now after all above being said the error:
Secure Connection Failed Peer's, Certificate has been
revoked., (Error code:
sec_error_revoked_certificate)
is a sure indicator that the website which had the certificate
problem as a one you could not trust to make money transactions or
do any operation that has a direct relation to your personal
private date.
However as there are still websites which use an SSL encryption and
are entertainment websites or just a news websites, sometimes
getting around the ssl revocation issue to check this website is a
necessity.
Therefore to enable your Firefox 3.5 / Iceweasel browser with a
website which has ssl certificate revocation issue you need to do
the following:
Edit -> Preferences -> Advanced -> Encryption ->
Validation
After you see the Certificate Validation screen remove the tick set
on:
Use the Online Certificate Status Protocol (OCSP) to confirm
the current validity of certificates
Now refresh the website and you will skip the certificate
revocation issue error and the webpage will open up.
Note that even though this will work, it's not recommended to use
this work around!