Certain websites are failing when I have "security.OCSP.require: true" set in Firefox. Normal websites work, but when visiting commonly used websites (Facebook, GitHub, Spotify) it fails 90% of the time.
What could be causing this?
Firefox Version: 84.0b7
MacOS Version: 10.15.7
Best Answer
There are multiple causes of this - it could for example be a server error, overloaded server, no route/path to the OCSP server, etc.
When the check fails, Firefox displays an error code that will tell you the reason. The text looks like this:
The XXXXXXX part will tell you what the problem was.
The problem you're experiencing is actually on of the main drawbacks of OCSP. By default, failing to check the status of the certificate online will just show you the page anyways - effectively bypassing the whole point of OCSP. On the other hand, setting it required as you did, makes it likely that you will experience web sites that won't display - even though you know they're up and running and "should" have been working.
The newer OCSP stapling standard attempts to remove the drawback while keeping the benefits by essentially letting the server do the OCSP check periodically, and keeping a timestamped, signed receipt of that check around for sending to clients.