1833337 - MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING - please allow a bypass of the error

Status: NEW

(Core :: Security: PSM, enhancement, P5)

Description

[Sylvestre Ledru [:Sylvestre]]

I was trying to read this article:
https://www.cosfone.com/why-does-rust-rewrite-sudo-and-su/
But Firefox doesn't allow me to do it while Chromium does.

Would it be possible to have an option to still visit the website despite the warning?

On the Chrome side about the staple:
https://bugs.chromium.org/p/chromium/issues/detail?id=572734#c7

Comment 2

[Nigel]

https://www.thainewsreports.com/news-summary/

Is not working

Comment 3

[Nigel]

Having read the Wikipedia article on ocsp stapling, and if it's accurate then Mozilla in my opinion should if the flag is true on the certificate should attempt to get the certificate authority confirmation from the website being visited. If it's not available (not 8f it's incorrect), then it should revert to see if it can get it from the certificate authority. If it's available from the certificate authority it should simply work. If it doesn't work in either case, then the user should be told that the certificate cannot be verified and stop the transaction.

Comment 4

[Nigel]

@ryanvm
This issue has become important as Firefox 118 has changed the property for OCSP stapling from false to true without the user on Android being able to override the issue.

Comment 5

[Nigel]

I believe that as a result of the change in the status of the OCSP stapling that this is a defect and not an enhancement

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Nigel, I have nothing to do with the development of this feature. Why are you pinging me?

Comment 7

[Nigel]

Ryan - this is a change that came with Release 118 to which Android users have no workaround and Desktop users have to find a hidden setting. I thought that you as the release manager would be interested in getting into a dot release

Comment 8

[Ryan VanderMeulen [:RyanVM]]

I'm not the release owner for the 118 release, nor is there any patch to land in a dot release. Dana is the correct person to follow up on this.

Comment 9

[Pascal Chevrel:pascalc]

Dana, do we know how many websites are impacted by our change? This seems to create a webcompat issue that only impacts Firefox. Thanks.

Comment 10

[Dana Keeler (she/her) [:keeler]]

Across all release users, this error is encountered about 20-50 times a day. For comparison, the "unknown issuer" error is encountered about 60,000 to 160,000 times a day across all release users.

Comment 11

[Nigel]

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #10)

Across all release users, this error is encountered about 20-50 times a day. For comparison, the "unknown issuer" error is encountered about 60,000 to 160,000 times a day across all release users.

Your figures - that obviously must exclude those with tracking disabled, would exclude my case of 4-8 times typically a day as I don't have tracking enabled.

The whole rationale for using OCSP stapling is for the website to provide the user browsing with proof of the SSL certificate being valid and not having to go to the website of the certificate issuer to check. Almost every website I have checked, does not have the OSCP stapling set as YES (True) and that allows those websites to currently work.

Your position at the moment is to make ALL websites that have the OSCP set to True to switch it to False so that Firefox users can access them. You are also saying that if they don't and users want a stable browser that they must AVOID using Firefox!

Comment 12

[Dennis Schubert [:denschub]]

Setting this as a webcompat-priority P3 for now, given the low numbers on comment 10. If this would spike higher, or we'd have evidence of this breaking a large site, this would increase in priority.

Comment 13

[Nigel]

You also have another issue related to this issue. If the SSL certificate has expired (and it has the OSCP Stapling set to be enforced) and the user chooses to continue with the expired certificate, then you are able to view the website and the current issue is bypassed