China GWF block ocsp server ip

i using x2 cert. i try use china network, happen "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING "

when i disable ocsp_must_staple then site can visit. i think china GWF block ocsp server ip.
Double-click the security.ssl.enable_ocsp_must_staple preference to switch the value from true to false

Is there a better way to solve this problem?

1 Like

Hello @GodSir and welcome to the community!
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | mydomain.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

https://certbot.eff.org/docs/

https://certbot.eff.org/docs/using.html#certbot-command-line-options

If this is a stapling issue we can help, but please provide the information requested.

5 Likes

test site: m.xiaoyu.net
site server: windows 2022 IIS10 enable tls 1.3 and 1.2
ipv4 network VIRTUA SYSTEMS SAS

I can login to a root shell on my machine yes

I’m using a control panel to manage my site (no)

use china telecom ipv4 network visit site can't open. show "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING",
then setup security.ssl.enable_ocsp_must_staple preference to switch the value from true to false, then site can open.

2 Likes

It seems that there is some kind of filtering in place here.
My analysis shows:

nmap m.xiaoyu.net
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-15 21:18 PST
Nmap scan report for m.xiaoyu.net (185.10.17.74)
Host is up (0.36s latency).
Other addresses for m.xiaoyu.net (not scanned): 2602:fed2:7021::3
rDNS record for 185.10.17.74: mx.xiaoyu.net
Not shown: 994 filtered tcp ports (no-response)
PORT    STATE SERVICE
25/tcp  open  smtp
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https
465/tcp open  smtps
993/tcp open  imaps


There must be something else in play here:

Hopefully another expert here can help.

4 Likes

that site tcp 80,443 udp 443 port is open in server friewall. The site server is protected against extensive port scanning.

i using other country network visit that site is normal.

2 Likes

https://dev.ssllabs.com/ssltest/analyze.html?d=m.xiaoyu.net&s=185.10.17.74&latest

use this tool test site is normal.

2 Likes

I can connect to your site securely and see an active wildcard cert with serial #:
03d6708d8d1c1c8f2743e6da9eebd30b973c

If that is the one you are using, then I don't see the "China GWF".

4 Likes

Your current cert (crt.sh | 7554475879) has "must staple" enabled (" TLS Feature:
status_request" in the certificate info from crt.sh/OpenSSL).

When "must staple" is enabled, well, the browser expects a stapled OCSP status. If that won't succeed, it gives the error you've shown.

Fixes:

  • make sure OCSP stapeling is working (note that a stapled OCSP status is different from a separate OCSP request made by the browser. The stapled OCSP status is provided by the webserver in the handshake and should also be configured in the webserver)
  • if OCSP stapeling is not possible: disable the "must staple" feature in your certificate.
5 Likes

Using SSL Server Test (Powered by Qualys SSL Labs) shown
SSL Server Test: m.xiaoyu.net (Powered by Qualys SSL Labs)

2 Likes

@Bruce5051 What exactly should I look at? It corroborates by post AFAIK.

4 Likes

Correct; I quoted you so the OP would know the context I was speaking of. Nothing for you to look at @Osiris

4 Likes

Can the web server reach the OCSP service?

3 Likes

It works from where I'm sitting:
image

openssl ocsp -issuer e1.pem -cert your.pem -text -url http://e1.o.lencr.org

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: EF900170DD588F2A651E21511FDCD0BB6F512BAB
          Issuer Key Hash: 5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC
          Serial Number: 03D6708D8D1C1C8F2743E6DA9EEBD30B973C
    Request Extensions:
        OCSP Nonce:
            04102BF3C7D104B4EE70CC0E2A36D6E14512
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = E1
    Produced At: Nov 16 16:34:00 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: EF900170DD588F2A651E21511FDCD0BB6F512BAB
      Issuer Key Hash: 5AF3ED2BFC36C23779B95230EA546FCF55CB2EAC
      Serial Number: 03D6708D8D1C1C8F2743E6DA9EEBD30B973C
    Cert Status: good
    This Update: Nov 16 16:00:00 2022 GMT
    Next Update: Nov 23 15:59:58 2022 GMT

    Signature Algorithm: ecdsa-with-SHA384
         30:65:02:31:00:c3:92:0c:87:41:f4:4b:c3:53:7b:e1:c8:1e:
         d4:a7:1d:b6:ee:72:eb:d1:9c:15:04:2b:f9:70:89:0d:8b:40:
         1d:f6:54:72:bb:7b:10:c0:08:bc:7e:54:36:74:cb:4f:f9:02:
         30:24:4e:1a:a3:5f:28:ec:9c:32:ac:8c:0e:40:14:57:ed:bc:
         cb:0d:60:3f:d4:f3:f7:55:24:f5:b8:30:eb:a8:db:00:a5:f5:
         27:ec:df:a5:c3:cf:c0:eb:3b:25:56:92:89
WARNING: no nonce in response
Response verify OK
your.pem: good
        This Update: Nov 16 16:00:00 2022 GMT
        Next Update: Nov 23 15:59:58 2022 GMT

3 Likes

However, the webserver doesn't send a stapled OCSP status:

osiris@erazer ~ $ openssl s_client -connect m.xiaoyu.net:443 -status
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = E1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = xiaoyu.net
verify return:1
OCSP response: no response sent
---
(...)

But that was obvious already by the webbrowser errors.

4 Likes

Thus my question:

And since the China GWF isn't seen from this view, I would expect that it isn't to blame.

I've done my best to show how they can check it themselves.

3 Likes

OP should be able to see problems with that in the webserver error log.

But I'm still not convinced the webserver is even configured to staple OCSP statusses to begin with.

5 Likes

I'm confused about where that is being done - I thought it was on the server ...

3 Likes

No, that's setting the security.ssl.enable_ocsp_must_staple to False (in Firefox) as explained by OP in the sentence after the one you've quoted.

5 Likes

now use chrome visit that site normal. MOZILLA still has the issue.

1 Like

Does anyone know what is the reason for this problem? how to fix this

1 Like