搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

Learn More

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING caused by ocsp must staple, SSL labs says stapling is OK

  • 3 回覆
  • 1 有這個問題
  • 47 次檢視
  • 最近回覆由 Andy Pilate

more options

Hi,

I'm getting a MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING error on my website cubox.dev Using Firefox Developer Edition.

Nginx is configured to ocsp response, and disabling this flag in the advanced settings in Firefox fixes this issue, but I can't ask everyone to do that. SSLLabs are indicating that ocsp stapling is working fine: https://www.ssllabs.com/ssltest/analyze.html?d=imonia.fr&s=89.163.242.17&hideResults=on

Could someone tell me why this is an issue? Is there a problem with the way my server is stapling my responses? You can test against my server: cubox.dev

Thanks

所有回覆 (5)

more options

I'm gonna disable must stapling on my server to fix the issue. I'll bring it back if someone wanna test it. Or give me the commands to run (openssl) and I'll get you the info

有幫助嗎?

more options

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://cubox.dev directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).

Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

有幫助嗎?

more options

Shashank Shekhar said

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided. When I load https://cubox.dev directly I don't get an error. Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016). Does it make any difference if you toggle this setting: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste ocsp and pause while the list is filtered (3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

As I mentionned above, I disabled the "must staple" from my server in order to let firefox users access the site. I'll enable it back so you can test the website again.

I am not using a proxy.

As I mentionned in my initial message (but it was not really clear), disabling the security.ssl.enable_ocsp_must_staple flag does fix this issue. But this cannot be a fix, since I cannot ask every user to do this.

有幫助嗎?

more options

Still a problem with LetsEncrypt, lighttpd web server, and latest Firefox as well as Firefox 81.0.2.

Try this: https://egbert.net/

有幫助嗎?

more options

Strange. Posted a comment earlier. And it's a No-Show. Re-edited this comment.

This is still the exact problem with LetsEncrypt, Firefox 81.0.2.

The setting `security.ssl.enable_ocsp_must_staple preference` is no longer working in `True` or `False.

Try https://egbert.net/

由 s.egbert 於 修改

有幫助嗎?

問個問題

如果您還沒有帳號,您必須先 登入您的帳號 來回覆文章。請 開始一個新問題