blob: 6a15cd25a1e327db5588032b98b557190cb87d64 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[[!comment format=mdwn
username="guilhem"
avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28"
subject="Unreproducible here (Firefox ESR 45.0.1)"
date="2016-04-07T16:32:37Z"
content="""
Keys are properly pinned here
1. Close the browser
2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt`:
~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains)
4. Open `https://mail.fripost.org/` in a new tab
5. (After waiting a few seconds to let firefox flush the data.) The
HSTS policy and the two pins appear in the file:
~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt
mail.fripost.org:HSTS 0 16898 1475812232563,1,1
mail.fripost.org:HPKP 0 16898 1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w=
There is no warning in the log, either.
The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\".
Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)?
security.cert_pinning.enforcement_level = 1
security.cert_pinning.process_headers_from_non_builtin_roots = false
Please also verify that you have no weird non-default tunables for `security.*`.
"""]]
|
