Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

HTTPS connection fails with "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING"

  • 4 replies
  • 5 have this problem
  • 7271 views
  • Last reply by jscher2000

more options

Trying to connect to samba.org and its subsequent subdomains using Firefox 50.0.2(x86) returns an error that I am unable to find a remedy for.

Attached screenshots

Modified by Fox Lover

Chosen solution

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

Read this answer in context 👍 1

All Replies (4)

more options

See also:

  • bug 1278041 – Public-Key-Pins: An unknown error occurred processing the header specified by the site.
  • bug 1257031 – Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER
  • bug 1115718 – mozilla::pkix does not verify that the certificate issuer is not an empty distinguished name
  • bug 901698 – implement OCSP-must-staple (off by default)

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

Modified by cor-el

more options

Chosen Solution

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

more options

Thank you for the response jscher2000. I am not using a proxy but disabling security.ssl.enable_ocsp_must_staple did remedy this problem, thank you for your help.

more options

Hi Fox Lover, you might unknowingly be using a proxy. If you check the certificate on the Samba wiki and compare with the attached, do you have the same issuer information? You can do that using the Page Info dialog:

  • right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
  • (menu bar) Tools > Page Info > Security > "View Certificate"
  • click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button

In the dialog that opens, the "Issued by" section is the key one to check.