From 49504f2d0e8bfb55f72ca9d29bb3ab29810e182a Mon Sep 17 00:00:00 2001 From: guilhem Date: Thu, 7 Apr 2016 18:32:37 +0200 Subject: Added a comment: Unreproducible here (Firefox ESR 45.0.1) --- ...ent_1_b4a4c48337c46bc9f2435fe6df8b382e._comment | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment (limited to 'tracker/Public-Key-Pins_not_accepted_by_firefox') diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment new file mode 100644 index 0000000..6a15cd2 --- /dev/null +++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment @@ -0,0 +1,33 @@ +[[!comment format=mdwn + username="guilhem" + avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" + subject="Unreproducible here (Firefox ESR 45.0.1)" + date="2016-04-07T16:32:37Z" + content=""" +Keys are properly pinned here + + 1. Close the browser + 2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox//SiteSecurityServiceState.txt`: + + ~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox//SiteSecurityServiceState.txt + + 3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains) + 4. Open `https://mail.fripost.org/` in a new tab + 5. (After waiting a few seconds to let firefox flush the data.) The + HSTS policy and the two pins appear in the file: + + ~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox//SiteSecurityServiceState.txt + mail.fripost.org:HSTS 0 16898 1475812232563,1,1 + mail.fripost.org:HPKP 0 16898 1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w= + + There is no warning in the log, either. + +The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\". + +Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)? + + security.cert_pinning.enforcement_level = 1 + security.cert_pinning.process_headers_from_non_builtin_roots = false + +Please also verify that you have no weird non-default tunables for `security.*`. +"""]] -- cgit v1.2.3 From d1ff296b501420dde7c8f4f7d1d6a0b6433304c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire?= Date: Fri, 8 Apr 2016 11:50:11 +0200 Subject: Added a comment: Still a problem with http urls --- .../comment_2_4156da3309262dc53fff06dbbbcbb30c._comment | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment (limited to 'tracker/Public-Key-Pins_not_accepted_by_firefox') diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment new file mode 100644 index 0000000..ce90b13 --- /dev/null +++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="Grégoire" + avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" + subject="Still a problem with http urls" + date="2016-04-08T09:50:11Z" + content=""" +Now some of the images work but not all. According to Firefox' console, http URLs are upgraded to https which may not work all the time. + +I don't know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content? +"""]] -- cgit v1.2.3 From 2048df04b79c9af07287d99ee7d627dd32d9849c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 8 Apr 2016 14:06:10 +0200 Subject: =?UTF-8?q?Move=20Gr=C3=A9goire's=20comment=20to=20the=20right=20t?= =?UTF-8?q?icket.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../comment_2_4156da3309262dc53fff06dbbbcbb30c._comment | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment (limited to 'tracker/Public-Key-Pins_not_accepted_by_firefox') diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment deleted file mode 100644 index ce90b13..0000000 --- a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_4156da3309262dc53fff06dbbbcbb30c._comment +++ /dev/null @@ -1,10 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="Still a problem with http urls" - date="2016-04-08T09:50:11Z" - content=""" -Now some of the images work but not all. According to Firefox' console, http URLs are upgraded to https which may not work all the time. - -I don't know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content? -"""]] -- cgit v1.2.3 From d4c69bf473d62e8966d58dd3b174fda7037bc065 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire?= Date: Fri, 8 Apr 2016 15:00:11 +0200 Subject: Added a comment: Whoops, not your fault ;-) --- .../comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment (limited to 'tracker/Public-Key-Pins_not_accepted_by_firefox') diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment new file mode 100644 index 0000000..85e2da6 --- /dev/null +++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment @@ -0,0 +1,10 @@ +[[!comment format=mdwn + username="Grégoire" + avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" + subject="Whoops, not your fault ;-)" + date="2016-04-08T13:00:11Z" + content=""" +I looked into it a bit more and it seems that it's a bug in Firefox in fedora (something to do with the nss library being different). + +Sorry about the noise. +"""]] -- cgit v1.2.3