搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Secure Connection Failed to google.com

  • 7 个回答
  • 27 人有此问题
  • 1 次查看
  • 最后回复者为 mattcamp

more options

FF ESR 52.2.0 Windows XP sp3

Today I changed the following two OCSP settings from False to True:

security.OCSP.GET.enabled;true security.OCSP.require;true

Since then I'm unable to go to google.com, get the error message:

"Secure Connection Failed

An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem."

But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc.

So, could someone help me to figure out why Google is not secure for me?

I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

FF ESR 52.2.0 Windows XP sp3 Today I changed the following two OCSP settings from False to True: security.OCSP.GET.enabled;true security.OCSP.require;true Since then I'm unable to go to google.com, get the error message: "Secure Connection Failed An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem." But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc. So, could someone help me to figure out why Google is not secure for me? I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

被采纳的解决方案

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

定位到答案原位置 👍 6

所有回复 (7)

more options

选择的解决方案

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

more options

mattcamp: Thanks for your answer, I knew, that it wasn't FF fault, but I posted my question here because FF gurus for sure know what these config elements do. Since I use Google a lot, I set this element "security.OCSP.require" to false, now I'm OK, just a bit disappointed.

I noticed, that there are 5 elements in FF config that deal with PKI, can you tell me what is the meaning of level 3 here:

security.pki.sha1_enforcement_level;3

and what other options are out there for this element?

more options

The fact is SHA1 hashing algorithm has proven to be insecure, because a collision is possible.

A collision is when an algorithm calculates the same hash value for two different files.

This should never happen, because each file should have a unique hash signature, so Mozilla banned SHA1n favor of more secure algorithms.

More details here.

The NSA, too, deprecated SHA1 for the same reasons.

more options

I see. So, by any chance do you know, that then how can anyone make sure, or trust the system that when you're using Google using FF, indeed you're communicating with a real Google server and not for e.g. a cuckoo's egg between you and a real Google server? Or we just have accept the familiar request "just trust us!"

more options

Hi, It's a complex matter. However, I want to remind you that the people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.

If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

more options

mattcamp: Thank you for patience and all your answers!

more options

You're very welcome.

I love to help, that's why I'm here.