Comodo SSL Problems
-
Tuesday, 15th August, 2017
-
14:35pm
Update: 2.55pm
We're yet to find an official post by Comodo but the folks at Namecheap are reporting that 90% of Comodo OCSP servers are back responding. Hopefully this is an indication that the issue is being addressed.
Update: 1.45pm
We're seeing multiple reports from clients who are telling us their websites are down today. Our servers are all up and working and the issue is not with us. The common denominator between all reports is the clients are using Comodo SSL Certificates.
We believe there are some issues with the Comodo OCSP Servers. We've been applying a temporary fix to affected servers (disabling SSL Stapling) and websites will start loading again. If you see any issues report it to us and we can apply the fix for you.
Once we get confirmation that Comodo have fixed this problem we will revert the changes we made.
Our support is a little busy today as a result of this. We thank you for your patience.
Technical Explanation:
OCSP is a protocol that allows browsers such as firefox and IE (Chrome has disabled since 2012) to verify that a SSL certificate has not been revoked and presents a proper certificate chain. OCSP stapling is the same process but the host/servers bares the burden of performing the checks. This relies on the certificate authority correctly replying to OCSP requests.
From information we are able to verify, The comodo OCSP server is intermediately returning no-reply causing the revocation status of the certificate to be unknown and therefore not presented to the client. We've disable the OCSP stapling feature. This should have no security impact as certificate revokation will still be checked using CRL and certifcate revokation is rare.
