OCSP uses HTTPS even when OCSP URL specifies HTTP
Recently we have noticed certificate revocation checking failures with the latest version of Acrobat Reader DC.
In the Department of Defense, the OCSP URLs in the DOD PKI are "http://ocsp.disa.mil". These servers work. But they do not respond on the SSL-enabled port (https). But when we try to verify signatures with Acrobat DC, we get connection failures. Network tracing has revealed that even though the URLs in the certificate specify http, Adobe Reader is trying to connect to the https port, and this gets timeouts.
Environment: MacOS X
Steps to reproduce: Get a certificate that has an OCSP URL that contained "http" and not "https". Try to check the revocation status of it and watch the network connection.
Kostas Mantzavinatos commented
We confirm that we have noticed the same issue, in the Hellenic Public Administration Certification Authority.
We found a way to work around this problem. We created a new user account on the Mac and then there Acrobat Reader worked perfectly!