SSL Certificate Cannot Be Trusted (Mar/2021)

Got the issue report from our customer in Mar/2021 which is generated by Nessus ( Vulnerability Management Solution for Modern IT |® ) that sounds similar to SSL Certificate Cannot Be Trusted posted in Oct/2020 from the description:

We are working on a solution to this issue in the future

Wondering if there is any progress update that can be shared with us?

The following certificates were part of the certificate chain
sent by the remote host, but they have invalid OCSPResponse
signatures :
|-Subject : C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
|-OCSP Signature : Decryption Failed
|-Subject :
|-OCSP Signature : Decryption Failed


The below is the list of docs we quickly walked through but failed to find out anything new.

Generally OCSP fails open meaning that clients don’t have issues when the staple is not present. Are they seeing any client impacting issues? How often do they get alerts for this ?

No, we have not seen any symptom or issue reported on the service delivery platform connected to the result reported by Nessus. This was initiated by the customer as part of their security assessment of the system they use for their business and not something detected and reported on a regular basis as part of service monitoring operation.

We referred the below comment in 211224 toward that customer in the short term and this finding doesn’t raise any immediate security concern at this moment, but at the same time, we are wondering if there is any solution to that issue implemented.

“We are working on a solution to this issue in the future, in the meantime, I recommend reviewing the PCI failure with your provider as OCSP stapling is not required for an SSL certificate to be trusted. I can also see the certificate returned for your site is trusted on all major browsers.” (justinw)

This topic was automatically closed after 30 days. New replies are no longer allowed.