Firefox is unable to verify some certificates
I've run in a weird issue with Firefox from rhel7.2 repositories (tested versions 38.7.0 to 45.2.0) where FF is unable to verify some certificates. Specifically https://code.jquery.com/ certificate (verified by GlobalSign nv-sa), see attached image.
The same site is verified by vanilla Firefox packages (running on rhel7.2) and openssl as below. Anyone has any idea what's going on or how to troubleshoot?
~~~
$ openssl s_client -connect code.jquery.com:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 C = GB, OU = Domain Control Validated by OneClickSSL, CN = code.jquery.com
verify return:1
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
~~~
Responses
Not sure whether it operates the same in RHEL as in Windows (I don't use GUIs in RHEL). That said, the Windows version of FireFox uses a private certificate-store rather than consulting the sytem-wide certificate store ...which can be really nice if someone's gutted your system-level certificate-store for local IA reasons. You might want to compare your Firefox's private root certificate store to see if it looks incomplete.
Firefox is a mess. I'm seeing this garbage when accessing some sites like https://wiki.samba.org/ through zscaler. My zscaler ceritficates are imported, i can get to most sites OK, but some, like wiki.samba.org cause new versions of firefox to throw this:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
Older firefoxes, chrome, IE, are all ok to acess wiki.samba.org through zscaler. But new firefoxes on linux.. nope.
So, to put it bluntly, i think new Firefoxes are not checking certificates or negotiating connections correctly.
Don't blame FIrefox for doing security right. wiki,samba.org has a ssl certificate with ocsp must-staple extension and the server correctly staples ocsp requests when requested. Your zscaler device actually does a man-in-the-middle attack on the ssl connections and unfortunately it messes it up - so that the ocsp reply from the server doesn't reach the client and generates this error message.