.st0{fill:#FFFFFF;}

Technical Articles

Fix OCSP Errors

 August 15, 2020

By  Ludwik C. Siadlak

If you ever encountered an error saying

SEC_ERROR_OCSP_FUTURE_RESPONSE

like this one:

the issue is your system time.

What is OCSP?

OCSP is Online Certificate Status Protocol, which speed up validation of online certificates, by bypassing the CRL – the Certificate Revocation Lists.

Basically speaking it verifies if the certificate is valid.

Normally, you can experience invalid certificates when they are expired or revoked. But in this case, OCSP returned the future response, which means your browser received the confirmation of certificate validity from the future. If at 08:42 on Aug 07 you’re trying to access a website, a artificial dialog between servers looks like this:

Aug 07, 08:42:01 – Dear OCSP, is Certificate XYZ valid?
Aug 07, 08:42:02 – Yes, it is valid. Please proceed.

This is a regular communication.

But what if it looked like this?

Aug 07, 08:42:01 – Dear OCSP, is Certificate XYZ valid?
Aug 15, 19:36:11 – Yes, it is valid. Please proceed.

Your browser understands this response, but then realizes it’s Aug 7 and response came from Aug 15. This means something is definitely not right, so it displays the error.

Solution?

Network Time Protocol (NTP

NTP is a pool of servers that provide the ultimately current date and time information. Like Stratum 0 servers in Kerberos.

Instead of manually adjusting your system time, you can use Time Servers, which will take care of all of the work. Each Operating System offers this feature:

Windows 10

In Windows all you need to do is to right-click your system clock and select the following option under Adjust Sytem Date/Time menu:

MacOS

Same way in MacOS: click on the clock and Open Date and Time Preferences, and ensure the time is synchronized. This is a default setting in MacOS-based systems.

Linux

Since default Desktop Managers differ in every Linux distribution (KDE, GNOME, Xfce, et al), the safest way to achieve the goal of synchronizing the system clock is to use one of the available NTP servers. You will need to use or install an app called ntpdate and then use it with local NTP pool:

In Kali, Ubuntu, or any other Debian-based Linux, you can use apt to get this app:

sudo apt-get install ntpdate

And then choose global or your local (in the following example de for Germany) NTP server (list available here) and that’s it!

sudo ntpdate de.pool.ntp.org

No more OCSP errors.

Ludwik C. Siadlak


Your Signature

related posts:


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

>
SQL Bootcamp

Learn SQL in 60 mins. For Free.