Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

HTTPS connection fails with "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING"

  • 4 uphendule
  • 5 zinale nkinga
  • 7947 views
  • Igcine ukuphendulwa ngu jscher2000

more options

Trying to connect to samba.org and its subsequent subdomains using Firefox 50.0.2(x86) returns an error that I am unable to find a remedy for.

Ama-screenshot ananyekiwe

Okulungisiwe ngu Fox Lover

Isisombululo esikhethiwe

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

Funda le mpendulo ngokuhambisana nalesi sihloko 👍 1

All Replies (4)

more options

See also:

  • bug 1278041 – Public-Key-Pins: An unknown error occurred processing the header specified by the site.
  • bug 1257031 – Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER
  • bug 1115718 – mozilla::pkix does not verify that the certificate issuer is not an empty distinguished name
  • bug 901698 – implement OCSP-must-staple (off by default)

Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

Okulungisiwe ngu cor-el

more options

Isisombululo Esikhethiwe

This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.

When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.

Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).


Does it make any difference if you toggle this setting:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste ocsp and pause while the list is filtered

(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?

more options

Thank you for the response jscher2000. I am not using a proxy but disabling security.ssl.enable_ocsp_must_staple did remedy this problem, thank you for your help.

more options

Hi Fox Lover, you might unknowingly be using a proxy. If you check the certificate on the Samba wiki and compare with the attached, do you have the same issuer information? You can do that using the Page Info dialog:

  • right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
  • (menu bar) Tools > Page Info > Security > "View Certificate"
  • click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button

In the dialog that opens, the "Issued by" section is the key one to check.