list of firefox ocsp servers

[berrythesoftwarecodeprogrammar]

i did this for my own reasons but thought i would post it here in case it would be useful to anybody else. i read my cert8.db and these were the ocsp servers i found. it could be useful for those who might go as far as to block all background connections except whitelisted ones, or maybe those who force https on all domains except whitelisted ones (the majority of ocsp servers dont use https). or maybe those just wondering what the connections to these ips are
see my post underneath this for ocsp servers not included by default

commercial.ocsp.identrust.com
ocsp.affirmtrust.com
ocsp.comodoca.com
ocsp.comodoca2.com
ocsp.comodoca3.com
ocsp.comodoca4.com
ocsp.digicert.com
ocsp.entrust.net
ocsp.geotrust.com
ocsp.globalsign.com
ocsp.godaddy.com
ocsp.netsolssl.com
ocsp.omniroot.com
ocsp.quovadisglobal.com
ocsp.root-x1.letsencrypt.org
ocsp.starfieldtech.com
ocsp.startssl.com
ocsp.swisssign.net
ocsp.thawte.com
ocsp.trust-provider.com
ocsp.trustwave.com
ocsp.usertrust.com
ocsp.verisign.com
ocsp.wosign.com
ocsp.ws.symantec.com
ocsp1.wosign.com
ocsp2.wosign.cn

IPs:

# host commercial.ocsp.identrust.com
commercial.ocsp.identrust.com has address 192.35.177.155
# host ocsp.affirmtrust.com
ocsp.affirmtrust.com has address 150.70.178.190
# host ocsp.comodoca.com
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.comodoca2.com
ocsp.comodoca2.com is an alias for ocsp.comodoca2.com.edgesuite.net.
ocsp.comodoca2.com.edgesuite.net is an alias for a1638.b.akamai.net.
a1638.b.akamai.net has address 185.52.170.18
a1638.b.akamai.net has address 185.52.170.11
# host ocsp.comodoca3.com
ocsp.comodoca3.com is an alias for ocsp.comodoca2.com.edgesuite.net.
ocsp.comodoca2.com.edgesuite.net is an alias for a1638.b.akamai.net.
a1638.b.akamai.net has address 185.52.170.18
a1638.b.akamai.net has address 185.52.170.11
# host ocsp.comodoca4.com
ocsp.comodoca4.com has address 178.255.83.1
ocsp.comodoca4.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.digicert.com
ocsp.digicert.com is an alias for cs9.wac.phicdn.net.
cs9.wac.phicdn.net has address 93.184.220.29
# host ocsp.entrust.net
ocsp.entrust.net is an alias for ocsp.entrust.net.edgekey.net.
ocsp.entrust.net.edgekey.net is an alias for e6913.dscx.akamaiedge.net.
e6913.dscx.akamaiedge.net has address 104.81.127.62
e6913.dscx.akamaiedge.net has IPv6 address 2a02:26f0:f:28a::1b01
e6913.dscx.akamaiedge.net has IPv6 address 2a02:26f0:f:287::1b01
# host ocsp.geotrust.com
ocsp.geotrust.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.globalsign.com
ocsp.globalsign.com has address 108.162.232.200
ocsp.globalsign.com has address 108.162.232.197
ocsp.globalsign.com has address 108.162.232.207
ocsp.globalsign.com has address 108.162.232.196
ocsp.globalsign.com has address 108.162.232.199
ocsp.globalsign.com has address 108.162.232.198
ocsp.globalsign.com has address 108.162.232.203
ocsp.globalsign.com has address 108.162.232.204
ocsp.globalsign.com has address 108.162.232.205
ocsp.globalsign.com has address 108.162.232.202
ocsp.globalsign.com has address 108.162.232.201
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cd
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c8
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cc
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c7
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c5
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8ca
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cf
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c6
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c9
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8cb
ocsp.globalsign.com has IPv6 address 2400:cb00:2048:1::6ca2:e8c4
# host ocsp.godaddy.com
ocsp.godaddy.com is an alias for ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net has address 188.121.36.239
# host ocsp.netsolssl.com
ocsp.netsolssl.com is an alias for ocsp.comodoca.com.
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.omniroot.com
ocsp.omniroot.com is an alias for wac.BFDD.edgecastcdn.net.
wac.BFDD.edgecastcdn.net is an alias for gpla1.wac.v2cdn.net.
gpla1.wac.v2cdn.net has address 93.184.220.20
# host ocsp.quovadisglobal.com
ocsp.quovadisglobal.com has address 199.68.194.254
# host ocsp.root-x1.letsencrypt.org
ocsp.root-x1.letsencrypt.org is an alias for ocsp.root-x1.letsencrypt.org.edgesuite.net.
ocsp.root-x1.letsencrypt.org.edgesuite.net is an alias for a1126.dscd.akamai.net.
a1126.dscd.akamai.net has address 185.52.170.9
a1126.dscd.akamai.net has address 185.52.170.24
a1126.dscd.akamai.net has IPv6 address 2a02:d88:3::b934:aa18
a1126.dscd.akamai.net has IPv6 address 2a02:d88:3::b934:aa09
# host ocsp.starfieldtech.com
ocsp.starfieldtech.com is an alias for ocsp.godaddy.com.akadns.net.
ocsp.godaddy.com.akadns.net has address 188.121.36.239
# host ocsp.startssl.com
ocsp.startssl.com is an alias for www.startssl.com.edgesuite.net.
www.startssl.com.edgesuite.net is an alias for a1603.g1.akamai.net.
a1603.g1.akamai.net has address 185.52.170.16
a1603.g1.akamai.net has address 185.52.170.26
# host ocsp.swisssign.net
ocsp.swisssign.net has address 91.194.146.7
# host ocsp.thawte.com
ocsp.thawte.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.trust-provider.com
ocsp.trust-provider.com is an alias for ocsp.comodoca.com.
ocsp.comodoca.com has address 178.255.83.1
ocsp.comodoca.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.trustwave.com
ocsp.trustwave.com is an alias for ocsp.trustwave.com.edgesuite.net.
ocsp.trustwave.com.edgesuite.net is an alias for a1213.g.akamai.net.
a1213.g.akamai.net has address 185.52.170.26
a1213.g.akamai.net has address 185.52.170.19
# host ocsp.usertrust.com
ocsp.usertrust.com has address 178.255.83.1
ocsp.usertrust.com has IPv6 address 2a02:1788:2fd::b2ff:5301
# host ocsp.verisign.com
ocsp.verisign.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp.wosign.com
ocsp.wosign.com has address 202.102.99.245
ocsp.wosign.com has address 106.120.160.249
# host ocsp.ws.symantec.com
ocsp.ws.symantec.com is an alias for ocsp-ds.ws.symantec.com.edgekey.net.
ocsp-ds.ws.symantec.com.edgekey.net is an alias for e8218.dscb1.akamaiedge.net.
e8218.dscb1.akamaiedge.net has address 23.46.123.27
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:282::201a
e8218.dscb1.akamaiedge.net has IPv6 address 2a02:26f0:f:28b::201a
# host ocsp1.wosign.com
ocsp1.wosign.com has address 106.120.160.249
# host ocsp2.wosign.cn
ocsp2.wosign.cn has address 106.120.160.249

[pyllyukko]

Thanks for this. Hopefully helps people to debug all those mystery connections.

[berrythesoftwarecodeprogrammar]

i think in this comment ill keep an up to date list of ocsp servers which i encounter (since CAs push their own ocsp servers to clients. ocsp servers not in firefox's db will still be used)

clients1.google.com/ocsp
ocsp.ca.vodafone.com
ocsp.gandi.net
ocsp.incommon-rsa.org
ocsp.msocsp.com
ocsp.sca1b.amazontrust.com
ocsp.trendmicro.com
ocsp2.globalsign.com
rapidssl-ocsp.geotrust.com
yandex.ocsp-responder.com
gn.symcd.com
gp.symcd.com
gt.symcd.com
gu.symcd.com
gv.symcd.com
gz.symcd.com
s2.symcb.com
sd.symcd.com
sh.symcd.com
sr.symcd.com
ss.symcd.com
tg.symcd.com
ti.symcd.com
tj.symcd.com
tn.symcd.com
ocsp5.wosign.com
ocsp6.wosign.com
ocsp8.wosign.com
ocsp.int-x1.letsencrypt.org
ocsp.int-x2.letsencrypt.org
ocsp.int-x3.letsencrypt.org
ocsp.int-x4.letsencrypt.org
ctrootsha2.ocsp.omniroot.com
vassg141.ocsp.omniroot.com
vassg142.ocsp.omniroot.com
vpssg142.ocsp.omniroot.com

[nodiscc]

Is it really needed to maintain a list of OCSP servers? OCSP requests are easily distinguishable from other traffic using wireshark/tshark (example). netstat will only show a TCP connection, that's why you should not used netstat to investigate connections.

Related #20

[berrythesoftwarecodeprogrammar]

its not needed, and im aware. also checking with a list can be faster than packet inspecting. people are free to use this list for anything they like. its not a requirement of any sort

this is my personal use case:

ocsp servers dont support https so i need to whitelist them as i force https by default
(i find this noscript method more effective than HTTPSE or HTTPN)

[berrythesoftwarecodeprogrammar]

which whitelist are you talking about

[Atavic]

Moreover, Certificate Revocation Lists (“CRLs”) are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked:

https://isc.sans.edu/crls.html lists the Certificates Revoked per Day.