OCSP incident October 15th

Alerts ID:    ALERT2435    Updated:    10/16/2017

Severity

Critical

Description

On Sunday, October 15th, 2017, at 12:01 am UTC Mozilla Firefox users began experiencing accessibility issues when visiting some Symantec-secured domains hosted by Akamai Edge servers.  Specifically, these servers retained expired certificate information which resulted in page loading errors for visiting users.  This issue is isolated to the Mozilla Firefox browser.

Once identified, we worked closely with Akamai to mitigate and resolve these issues which were fully resolved by 9:30 am UTC. 

 

Summary of Issue

  1. Symantec CA issued OCSP responses that were signed with a certificate with an expiration date earlier than the expiration date of the OCSP responses

  2. Akamai Secure Edge servers continued OCSP responses from the cached certificate information.

  3. Mozilla Firefox browsers queries the OCSP certificate to confirm validity.  Because the certificate expired, OCSP errors began occurring.

 

If you are still experiencing an issue when retrieving OCSP responses, we recommend to restart your web service on your impacted server to force caching to renew.  This will help refresh the OCSP with the newest certificate.