HTTPS connection fails with "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING"
Trying to connect to samba.org and its subsequent subdomains using Firefox 50.0.2(x86) returns an error that I am unable to find a remedy for.
Okulungisiwe ngu Fox Lover
Isisombululo esikhethiwe
This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.
When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.
Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).
Does it make any difference if you toggle this setting:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false
Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?
Funda le mpendulo ngokuhambisana nalesi sihloko 👍 1All Replies (4)
See also:
- bug 1278041 – Public-Key-Pins: An unknown error occurred processing the header specified by the site.
- bug 1257031 – Return more informative error code when encountering invalid integers rather than SEC_ERROR_BAD_DER
- bug 1115718 – mozilla::pkix does not verify that the certificate issuer is not an empty distinguished name
- bug 901698 – implement OCSP-must-staple (off by default)
Please do not comment in bug reports
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Okulungisiwe ngu cor-el
Isisombululo Esikhethiwe
This rare error message seems to mean there is a problem with the server's OCSP response: OCSP "stapling" -- inclusion of the verification of the non-revocation of the server's certificate -- is required but not provided.
When I load https://wiki.samba.org/index.php/Main_Page directly I don't get an error.
Are you using a proxy? There was a reference on another site to an issue using Zscaler on that site: https://access.redhat.com/discussions/2408091 (June 30, 2016).
Does it make any difference if you toggle this setting:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste ocsp and pause while the list is filtered
(3) Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false
Then try the site again, bypassing the cache (e.g., Ctrl+Shift+r when you reload). Any difference?
Thank you for the response jscher2000. I am not using a proxy but disabling security.ssl.enable_ocsp_must_staple did remedy this problem, thank you for your help.
Hi Fox Lover, you might unknowingly be using a proxy. If you check the certificate on the Samba wiki and compare with the attached, do you have the same issuer information? You can do that using the Page Info dialog:
- right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
- (menu bar) Tools > Page Info > Security > "View Certificate"
- click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button
In the dialog that opens, the "Issued by" section is the key one to check.
