MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING caused by ocsp must staple, SSL labs says stapling is OK
Hi,
I'm getting a MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error on my website cubox.dev Using Firefox Developer Edition.
Nginx is configured to ocsp response, and disabling this flag in the advanced settings in Firefox fixes this issue, but I can't ask everyone to do that. SSLLabs are indicating that ocsp stapling is working fine: https://www.ssllabs.com/ssltest/analyze.html?d=imonia.fr&s=89.163.242.17&hideResults=on
Could someone tell me why this is an issue? Is there a problem with the way my server is stapling my responses? You can test against my server: cubox.dev
Thanks
All Replies (5)
I'm gonna disable must stapling on my server to fix the issue. I'll bring it back if someone wanna test it. Or give me the commands to run (openssl) and I'll get you the info
This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.
When I load https://cubox.dev directly I don't get an error.
Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).
Does it make any difference if you toggle this setting:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false
Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?
Shashank Shekhar said
This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided. When I load https://cubox.dev directly I don't get an error. Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016). Does it make any difference if you toggle this setting: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste ocsp and pause while the list is filtered (3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?
As I mentionned above, I disabled the "must staple" from my server in order to let firefox users access the site. I'll enable it back so you can test the website again.
I am not using a proxy.
As I mentionned in my initial message (but it was not really clear), disabling the security.ssl.enable_ocsp_must_staple flag does fix this issue. But this cannot be a fix, since I cannot ask every user to do this.
Still a problem with LetsEncrypt, lighttpd web server, and latest Firefox as well as Firefox 81.0.2.
Try this: https://egbert.net/
Strange. Posted a comment earlier. And it's a No-Show. Re-edited this comment.
This is still the exact problem with LetsEncrypt, Firefox 81.0.2.
The setting `security.ssl.enable_ocsp_must_staple preference` is no longer working in `True` or `False.
Modified