What is OCSP?

This appears in the Firefox settings:

Query OCSP responder servers to confirm the current validity of certificates.

What is OCSP?

OCSP (Online Certificate Status Protocol) is a protocol used to verify the status of SSL/TLS certificates when a browser connects to an HTTPS site. The browser sends certificate information to an OCSP responder server, which is managed by the Certificate Authority (CA), and the server returns the certificate’s status. The results can be one of the following: Good (valid), Revoked (revoked), or Unknown (status unknown).

Browsers can send OCSP requests at the time of connection to check whether the certificate has been revoked. However, not all browsers send actual requests—some use cached information or techniques like OCSP stapling to verify the status. Therefore, the behavior may vary depending on the browser.

Handling the 'Unknown' Status

When a browser receives an 'Unknown' status, it typically follows the Fail Open policy, which allows the connection to proceed even if the certificate's status cannot be verified. However, security settings can be adjusted to apply the Fail Closed policy, where connections with an 'Unknown' status are blocked.

That said, some browsers may bypass OCSP requests entirely or use cached information for certificate validation, meaning they might not handle the 'Unknown' status directly.