Firefox throws Secure Connection Failed for many Microsoft domains (Fix)
When you try to connect select Microsoft owned domains such as Hotmail.com or Codeplex.com right now in Firefox, you may get a Secure Connection Failed error.
Sites that are affected by the issue include the following domains: hotmail.com, codeplex.com, visualstudio.com, azurewebsites.net, social.technet.microsoft.com, onedrive.live.com.
In fact, it appears that the majority of Microsoft owned domains are affected by the issue. Only some sites are not.
The error reads:
Secure Connection Failed
An error occurred during a connection to xyz.codeplex.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
When you try to load the site in another web browser, say Google Chrome or Internet Explorer, it loads fine and without any issues.
If you check the OCSP range (which is the time period in which it is active), you will notice that it expired on May 28, 2017. While Firefox is strict when it comes to the information, Chrome is not. Google's Chrome browser allows the connection, but considers it as insecure instead, while Firefox blocks it outright.
Temporary Workaround
The only option that Firefox users have right now to access affected Microsoft domains is to disable OSCP Stapling in the browser. Well, another option would be to use a different browser until the issue is resolved.
- Type about:config in the address bar of Firefox and hit the Enter-key.
- Confirm that you will be careful if the notification is displayed.
- Search for the preference security.ssl.enable_ocsp_stapling.
- Double-click on it to set it to false.
Doing so turns off OCSP Stapling in the Firefox web browser. Firefox will load the sites that refused to load before. A restart is not required.
Note: Disabling OCSP Stapling may affect the functionality of other websites that you visit, provided that they make use of the security feature.
Had this problems,in spades. Had just bought a brand new laptop&was thinking it was junk,because I could’nt get anywhere on the web,without a ton of hassle. BUT,after doing the recommended solution above,I am now able to get from point A to point B,withot having to spend a half an hour,just to reach Google or Twitter ,or anything else I am trying to get to on the internet. Still runs a bit slow,loading the pages,but not that long(maybe a minute),but at least it saves me from a half an hour or so,of refreshes&’secure connection failed’ messeges. Also,I found that it fixed my Twitter issues,as well,as before I used the solution on this new laptop,I was’nt able to even post photos,much less GIFs,on Twitter&sometimes,it would’nt even post regular tweets. But now I can. Thank you. However,I do have a question : Is there any security countermeasures I can take,to make it safer to go on,without the ‘stapling’? How safe is this solution,in the long run?
After 2 days, I am finally able to access Hotmail via Firefox as of 09:00 (Greenwich time+8) Wed., 31 May 2017 in Hong Kong. Hope the problem is also resolved for everyone as well. Hope the next MS debacle will not take as long to fix!
Somehow, when you just doggedly refresh the MS site you’re trying to visit, it will eventually load. Usually it doesn’t even take me all that many refreshes either.
But yeah.. Hotmail, OneDrive.. all with that error message initially. Really ugly, stupid and annoying IMO.
This affects Office 365, SharePoint Online and Azure too. It’s a real blunder from Microsoft, considering how much it at stake for major corporations that have moved to the cloud and rely on O365 and other enterprise services offered by MS. Granted, most enterprises run IE or Chrome, but still, next time it’s one of those browsers. I’m surprised this hasn’t gotten much attention from other tech sites so far.
Failed for me on Hotmail just now. Clicked to Retry 2-3 times and it finally connected
FWIW ~ outlook.live.com, msn.com, technet.microsoft.com, visualstudio.com & onedrive.live.com work okay (at this time) for me. FF 53.0.3
This problem cropped up once before back in 2014 and was supposedly fixed by Mozilla with a new PKIX code according to bug 972304 (see comment #8 by Brian Smith) https://bugzilla.mozilla.org/show_bug.cgi?id=972304
So either FF53.0.3 disabled PKIX or something else has gone pear-shaped.
I was reading an article on how to manually verify an OSCP server, but it looks a little daunting: https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
Disabling OCSP stapling doesn’t sound like a good idea since it affects all sites across the range and not just outlook.com
I been having this problem in Hong Kong (Greenwich time +8) with Firefox since Monday morning, 29 May 2017 and still have the problem at this moment – Tuesday evening, 30 May 2017. I tried MS “Edge” and was able to log-on to Hotmail but cannot print any e-mail because the print “preview drop-down” page is BLANK! The same with attempts to print anything while using Edge for other domains. Besides, Edge is so poorly designed, I don’t think I will ever use it for anything. I have no problems using Google’s Chrome for access or printing.
How could MS be making such stupid mistakes and not (more like refuse to) rectify them ASAP? Maybe they are too busy in the middle of enjoying their Memorial Day BBQ!
Me too (three, four, 1,001.) What a PITA.
I’m still having the problem and have for a day or two now while trying to figure out why or a way around it. As of right now, I only have problems with it for my hotmail account. If I use Microsoft edge to sign in, it works fine. I’m not a happy camper with Microsoft right now. People don’t have time to deal with this kind of stuff.
I still have the problem, plus it seems to be affecting other sites too (taobao.com for one, off the top of my head). Does this point to some kind of larger problem with whatever OSCP is? (Sorry, I don’t understand security tech).
I got the same on Firefox on Mac when accessing bing.com
Still not working, but I can access it via my history, saves opening other browsers!
i believe it works fine in Nightly, but it brings up that prblem in 53 an 54 https://bugzilla.mozilla.org/show_bug.cgi?id=1368388#c2
Thanks sooo much for updating people about these sort of issues. Thanks very very much…
I don’t encounter such problem visting the m$ sites in firefox.
It seems to have been resolved on Microsoft’s end.
Nope, I am still getting no loads on the bing news site trying to start up with Firefox. I have other browsers – no worries.
Thanks for the report, Martin. I experienced this error on Outlook.com and wondered what the heck was happening.
I find that pressing the “Try Again” button lets me connect.
Yes, could not reach Outlook Mail earlier today. Appears okay now.
Thanks
Another workaround: outlook.com and live.com works fine to access the webmail.
that was easy ! Thanks GalegO
Thanks!
OMG, it’s not just Windows, I’m getting the same error in Android.
Didn’t believe it, so I tried. Yes. Okay. When this type of thing happens, I find connecting to my SSH server on AWS resolves the problem. Yes, that works. But I don’t know why. I do wish I understood things like that. Quite frequently I notice that sites that don’t work will work if I go through some type of tunnel.
Let’s try the 50GB freebie Windscribe I snagged here a few weeks ago: Yes, all sites working fine. I already have a different DNS than my ISP assigned DNS. Wonder what it is.
Thanks for this report, Martin.
I use Hotmail and I could not log in this morning with Firefox or Cyberfox. I had the same error report which you have posted. I tried Chrome and Hotmail was accessible. Thanks for the tip about OCSP stapling.
How could MS overlook the fact that the certificate was invalid ?
Whenever I log into hotmail.com, it redirects me to outlook.com
Do people still get those errors after that?
I read yesterday that Microsoft fixed the issue on 97% or so of all servers already. Probably fixed by now.
Given M$’s penchant for pure evil, the distinct possibility exists that it was deliberate. How better to make another browser look bad? I’m guessing that by now they’ve fixed the certificates so that their own browsers don’t have the same problem eventually.
Not fixed yet