搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

HTTPS connection fails with "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING"

  • 4 回覆
  • 5 有這個問題
  • 5054 次檢視
  • 最近回覆由 jscher2000

more options

Trying to connect to samba.org and its subsequent subdomains using Firefox 50.0.2(x86) returns an error that I am unable to find a remedy for.

附加的畫面擷圖

由 Fox Lover 於 修改

被選擇的解決方法

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

從原來的回覆中察看解決方案 👍 1

所有回覆 (4)

more options

See also:

  • bug 1278041 – Public-Key-Pins: An unknown error occurred processing the header specified by the site.
  • bug 1257031 – Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER
  • bug 1115718 – mozilla::pkix does not verify that the certificate issuer is not an empty distinguished name
  • bug 901698 – implement OCSP-must-staple (off by default)

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

由 cor-el 於 修改

more options

選擇的解決方法

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

more options

Thank you for the response jscher2000. I am not using a proxy but disabling security.ssl.enable_ocsp_must_staple did remedy this problem, thank you for your help.

more options

Hi Fox Lover, you might unknowingly be using a proxy. If you check the certificate on the Samba wiki and compare with the attached, do you have the same issuer information? You can do that using the Page Info dialog:

  • right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
  • (menu bar) Tools > Page Info > Security > "View Certificate"
  • click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button

In the dialog that opens, the "Issued by" section is the key one to check.