突然(大概是最近更新到 99.0.1 后),我经常使用的一个网站无法打开,但显示
An error occurred during a connection to $fqdn.
Peer’s Certificate has been revoked.
Error code: SEC_ERROR_REVOKED_CERTIFICATE
不幸的是,这是一个内部网站点,因此您无法自己验证这一点,但它具有来自“颁发者:C=BM;O=QuoVadis Limited;CN=QuoVadis Global SSL ICA G3”的有效证书,并且它在我的 Mac 上的其他所有东西上运行良好(21.3.0 Darwin 内核版本 21.3.0:2022 年 1 月 5 日星期三 21:37:58 PST;root:xnu-8019.80.24~20/RELEASE_ARM64_T6000 arm64):Safari、Chrome、curl,您说得出名字的 - 都没有问题。
然后我很好奇,发现如果我在 Firefox 中创建一个新的配置文件,它也会起作用。进一步研究后,似乎在使用我的旧配置文件和任何 OCSP 设置组合时,它会在某个时候发现该证书在黑名单中:
旧配置文件,使用 ./firefox-bin --MOZ_LOG="certverifier:5,pipnss:4"
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13539: SSL Cert #1]: D/certverifier OCSPCache::Get(171bacea0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain::CheckCRLite: CRLite check returned state=2
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no stapled OCSP response
[Parent 13539: SSL Cert #1]: D/certverifier OCSPCache::Get(171bad6f0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13539: Socket Thread]: D/pipnss SSLServerCertVerificationResult::Run setting NEW cert
[Parent 13539: Socket Thread]: D/pipnss [13f0861a0] nsNSSSocketInfo::NoteTimeUntilReady
[Parent 13539: Socket Thread]: D/pipnss CanFalseStartCallback [13f085fc0] ok
[Parent 13539: Socket Thread]: D/pipnss [13f085fc0] HandshakeCallback: succeeded using TLS version range (0x0301,0x0304)
[Parent 13539: Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert
[Parent 13539: Socket Thread]: D/pipnss [13f0861a0] nsNSSSocketInfo::SetHandshakeCompleted
[Parent 13539: Socket Thread]: D/pipnss [13eb96c00] starting AuthCertificateHookInternal
[Parent 13539: SSL Cert #1]: D/pipnss [13eb96c00] SSLServerCertVerificationJob::Run
[Parent 13539: SSL Cert #1]: D/certverifier Top of VerifyCert
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13539: SSL Cert #1]: D/certverifier OCSPCache::Get(171bac650,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13539: SSL Cert #1]: D/certverifier OCSPCache::Get(171bacea0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain::CheckCRLite: CRLite check returned state=2
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no stapled OCSP response
[Parent 13539: SSL Cert #1]: D/certverifier OCSPCache::Get(171bad6f0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13539: Socket Thread]: D/pipnss SSLServerCertVerificationResult::Run setting NEW cert
[Parent 13539: Socket Thread]: D/pipnss [13c5f2770] nsSSLIOLayerSetOptions: using TLS version range (0x0301,0x0304)
[Parent 13539: Socket Thread]: D/pipnss [13c5f2770] Socket set up
[Parent 13539: Socket Thread]: D/pipnss [13c5f2770] connecting SSL socket
[Parent 13539: Socket Thread]: E/pipnss [13c5f2770] Lower layer connect error: -5934
[Parent 13539: Socket Thread]: D/pipnss [13c6c86a0] starting AuthCertificateHook
[Parent 13539: Socket Thread]: D/pipnss [13c6c86a0] starting AuthCertificateHookInternal
[Parent 13539: SSL Cert #1]: D/pipnss [13c6c86a0] SSLServerCertVerificationJob::Run
[Parent 13539: SSL Cert #1]: D/certverifier Top of VerifyCert
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: certificate is in blocklist
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: certificate is in blocklist
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: certificate is in blocklist
[Parent 13539: SSL Cert #1]: D/certverifier NSSCertDBTrustDomain: certificate is in blocklist
在新的配置文件中,还存在一些错误和一些我不太理解的东西,但它仍然有效:
新创建的配置文件,使用 ./firefox-bin --MOZ_LOG="certverifier:5,pipnss:4"
[Parent 13639: Socket Thread]: E/pipnss [13a70f520] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [13a70f8b0] starting AuthCertificateHook
[Parent 13639: Socket Thread]: D/pipnss [13a70f8b0] starting AuthCertificateHookInternal
[Parent 13639: SSL Cert #4]: D/pipnss [13a70f8b0] SSLServerCertVerificationJob::Run
[Parent 13639: SSL Cert #4]: D/certverifier Top of VerifyCert
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: CheckSignatureDigestAlgorithm
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: IsChainValid
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13639: SSL Cert #4]: D/certverifier OCSPCache::Get(172b38ea0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: Top of CheckRevocation
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain::CheckRevocation: checking CRLite
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain::CheckCRLite: CRLite check returned state=2
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: no stapled OCSP response
[Parent 13639: SSL Cert #4]: D/certverifier OCSPCache::Get(172b396f0,"firstPartyDomain: , partitionKey: ") not in cache
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: no cached OCSP response
[Parent 13639: SSL Cert #4]: D/pipnss DoOCSPRequest to 'http://ocsp.quovadisglobal.com'
[Parent 13639: SSL Cert #4]: D/certverifier OCSPCache::Put(172b396f0, "firstPartyDomain: , partitionKey: ") added to cache
[Parent 13639: SSL Cert #4]: D/certverifier NSSCertDBTrustDomain: returning SECSuccess after OCSP request failure
[Parent 13639: Socket Thread]: D/pipnss SSLServerCertVerificationResult::Run setting NEW cert
[Parent 13639: Socket Thread]: D/pipnss [13a70f8b0] HandshakeCallback: succeeded using TLS version range (0x0303,0x0304)
[Parent 13639: Socket Thread]: D/pipnss HandshakeCallback KEEPING existing cert
[Parent 13639: Socket Thread]: D/pipnss [13a70f520] nsNSSSocketInfo::NoteTimeUntilReady
[Parent 13639: Socket Thread]: D/pipnss [13a70f520] nsNSSSocketInfo::SetHandshakeCompleted
[Parent 13639: Socket Thread]: D/pipnss [1280bde10] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [1280bde10] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [1280bde10] Socket set up
[Parent 13639: Socket Thread]: D/pipnss [1280bde10] connecting SSL socket
[Parent 13639: Socket Thread]: E/pipnss [1280bde10] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [128309030] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [128309030] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [128309030] Socket set up
[Parent 13639: Socket Thread]: D/pipnss [128309030] connecting SSL socket
[Parent 13639: Socket Thread]: E/pipnss [128309030] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [139ebc100] Shutting down socket
[Parent 13639: Socket Thread]: D/pipnss [138c0ed10] Shutting down socket
[Parent 13639: Socket Thread]: D/pipnss [139ebdde0] Shutting down socket
[Parent 13639: Socket Thread]: D/pipnss [139ebd9c0] Shutting down socket
[Parent 13639: Socket Thread]: D/pipnss [1283096c0] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [1283096c0] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [1283096c0] Socket set up
[Parent 13639: Socket Thread]: D/pipnss [1283096c0] connecting SSL socket
[Parent 13639: Socket Thread]: E/pipnss [1283096c0] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] Socket set up
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] connecting SSL socket
[Parent 13639: Socket Thread]: E/pipnss [109b6af50] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [12830a2f0] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [12830a2f0] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [12830a2f0] Socket set up
[Parent 13639: Socket Thread]: D/pipnss [12830a2f0] connecting SSL socket
[Parent 13639: Socket Thread]: E/pipnss [12830a2f0] Lower layer connect error: -5934
[Parent 13639: Socket Thread]: D/pipnss [1283097e0] HandshakeCallback: succeeded using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] nsNSSSocketInfo::NoteTimeUntilReady
[Parent 13639: Socket Thread]: D/pipnss [109b6af50] nsNSSSocketInfo::SetHandshakeCompleted
[Parent 13639: Socket Thread]: D/pipnss [12830a860] nsSSLIOLayerSetOptions: range.max limited to 1.2 due to BE_CONSERVATIVE flag
[Parent 13639: Socket Thread]: D/pipnss [12830a860] nsSSLIOLayerSetOptions: using TLS version range (0x0303,0x0303)
[Parent 13639: Socket Thread]: D/pipnss [12830a860] Socket set up
我正在尝试了解这个阻止列表在哪里... 有很多针对恶意内容、插件等的阻止列表,但我真的没有找到任何类似“TLS 阻止列表”的东西。 我还尝试使用原始配置文件中的 cert9.db,但没有帮助。 查看代码我看到了事情发生的那条线,但是在所有的 OCSP、装订、CRL 检查等之间,我真的不太了解,不知道哪里出了问题。
有什么提示可以告诉我如何找到这个黑名单并找出我的网站是如何进入其中的吗?