From 49504f2d0e8bfb55f72ca9d29bb3ab29810e182a Mon Sep 17 00:00:00 2001
From: guilhem <guilhem@web>
Date: Thu, 7 Apr 2016 18:32:37 +0200
Subject: Added a comment: Unreproducible here (Firefox ESR 45.0.1)

---
 ...ent_1_b4a4c48337c46bc9f2435fe6df8b382e._comment | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment

(limited to 'tracker')

diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment
new file mode 100644
index 0000000..6a15cd2
--- /dev/null
+++ b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment
@@ -0,0 +1,33 @@
+[[!comment format=mdwn
+ username="guilhem"
+ avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28"
+ subject="Unreproducible here (Firefox ESR 45.0.1)"
+ date="2016-04-07T16:32:37Z"
+ content="""
+Keys are properly pinned here 
+
+  1. Close the browser
+  2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt`:
+
+        ~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
+        
+  3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains)
+  4. Open `https://mail.fripost.org/` in a new tab
+  5. (After waiting a few seconds to let firefox flush the data.)  The 
+     HSTS policy and the two pins appear in the file:
+     
+        ~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
+        mail.fripost.org:HSTS   0   16898   1475812232563,1,1
+        mail.fripost.org:HPKP   0   16898   1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w=
+        
+     There is no warning in the log, either.
+ 
+The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\".
+
+Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)?
+
+    security.cert_pinning.enforcement_level = 1
+    security.cert_pinning.process_headers_from_non_builtin_roots = false
+
+Please also verify that you have no weird non-default tunables for `security.*`.
+"""]]
-- 
cgit v1.2.3