Firefox is unable to verify some certificates

Latest response

I've run in a weird issue with Firefox from rhel7.2 repositories (tested versions 38.7.0 to 45.2.0) where FF is unable to verify some certificates. Specifically https://code.jquery.com/ certificate (verified by GlobalSign nv-sa), see attached image.

The same site is verified by vanilla Firefox packages (running on rhel7.2) and openssl as below. Anyone has any idea what's going on or how to troubleshoot?

~~~
$ openssl s_client -connect code.jquery.com:443
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 C = GB, OU = Domain Control Validated by OneClickSSL, CN = code.jquery.com
verify return:1
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
~~~

Responses

Image link: Firefox image

Just for clarification, most of the sites open fine with https (google, redhat, etc), I've only come across https://code.jquery.com for now. The connection is dropped just after a new session ticket is created followed by an encrypted alert & FIN (from wireshark), Firefox does not display any message at all.

Not sure whether it operates the same in RHEL as in Windows (I don't use GUIs in RHEL). That said, the Windows version of FireFox uses a private certificate-store rather than consulting the sytem-wide certificate store ...which can be really nice if someone's gutted your system-level certificate-store for local IA reasons. You might want to compare your Firefox's private root certificate store to see if it looks incomplete.

Firefox is a mess. I'm seeing this garbage when accessing some sites like https://wiki.samba.org/ through zscaler. My zscaler ceritficates are imported, i can get to most sites OK, but some, like wiki.samba.org cause new versions of firefox to throw this:

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Older firefoxes, chrome, IE, are all ok to acess wiki.samba.org through zscaler. But new firefoxes on linux.. nope.

So, to put it bluntly, i think new Firefoxes are not checking certificates or negotiating connections correctly.

That can be symptomatic that the remote site's SSL is not well (read, "doesn't meet recent security best practices"). If the site you're browsing isn't well configured and the version of Firefox you're using is configured to not allow fall-back, you can get those types of errors.

Don't blame FIrefox for doing security right. wiki,samba.org has a ssl certificate with ocsp must-staple extension and the server correctly staples ocsp requests when requested. Your zscaler device actually does a man-in-the-middle attack on the ssl connections and unfortunately it messes it up - so that the ocsp reply from the server doesn't reach the client and generates this error message.

According to the bug report below the shipped NSS library lacks support for AEAD cipher suite. It's going to be fixed in next FF update for RHEL.

https://bugzilla.redhat.com/show_bug.cgi?id=1343202