Firefox is unable to verify some certificates
I've run in a weird issue with Firefox from rhel7.2 repositories (tested versions 38.7.0 to 45.2.0) where FF is unable to verify some certificates. Specifically https://code.jquery.com/ certificate (verified by GlobalSign nv-sa), see attached image.
The same site is verified by vanilla Firefox packages (running on rhel7.2) and openssl as below. Anyone has any idea what's going on or how to troubleshoot?
~~~
$ openssl s_client -connect code.jquery.com:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 C = GB, OU = Domain Control Validated by OneClickSSL, CN = code.jquery.com
verify return:1
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
~~~
Responses
Guru
6435 points
Not sure whether it operates the same in RHEL as in Windows (I don't use GUIs in RHEL). That said, the Windows version of FireFox uses a private certificate-store rather than consulting the sytem-wide certificate store ...which can be really nice if someone's gutted your system-level certificate-store for local IA reasons. You might want to compare your Firefox's private root certificate store to see if it looks incomplete.
Firefox is a mess. I'm seeing this garbage when accessing some sites like https://wiki.samba.org/ through zscaler. My zscaler ceritficates are imported, i can get to most sites OK, but some, like wiki.samba.org cause new versions of firefox to throw this:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
Older firefoxes, chrome, IE, are all ok to acess wiki.samba.org through zscaler. But new firefoxes on linux.. nope.
So, to put it bluntly, i think new Firefoxes are not checking certificates or negotiating connections correctly.
Guru
6435 points
That can be symptomatic that the remote site's SSL is not well (read, "doesn't meet recent security best practices"). If the site you're browsing isn't well configured and the version of Firefox you're using is configured to not allow fall-back, you can get those types of errors.
Don't blame FIrefox for doing security right. wiki,samba.org has a ssl certificate with ocsp must-staple extension and the server correctly staples ocsp requests when requested. Your zscaler device actually does a man-in-the-middle attack on the ssl connections and unfortunately it messes it up - so that the ocsp reply from the server doesn't reach the client and generates this error message.