[+keeler, +cviecco] On Tue, Jul 22, 2014 at 1:55 PM, Chris Palmer <pal...@google.com> wrote: > On Tue, Jul 22, 2014 at 3:01 AM, Hubert Kario <hka...@redhat.com> wrote: > >>> I'm pretty sure Firefox merely remembers your decision to click >>> through the warning, not that it pins the keys/certificates in the >>> chain you clicked through on. >> >> No, I'm sure it remembers the certificate. > > 1. Generate a self-signed cert; configure Apache to use it; restart Apache. > 2. Browse to the server with Firefox. Add Exception for the cert. > 3. Quit Firefox; restart Firefox; browse to server again. Everything is good. > 4. Generate a *new* self-signed cert; configure Apache to use it; > restart Apache. > 5. Quite Firefox; restart Firefox; browse to server again. > > Results: > > A. On first page-load after step (5), no certificate warning. (I > assume a cached page was being shown.) > B. Reload the page; now I get a cert warning as expected. But, > crucially, this not a key pinning validation failure; just an unknown > authority error. (Error code: sec_error_untrusted_issuer)
Firefox's cert override mechanism uses a different pinning mechanism than the "key pinning" feature. Basically, Firefox saves a tuple (domain, port, cert fingerprint, isDomainMismatch, isValidityPeriodProblem, isUntrustedIssuer) into a database. When it encounters an untrsuted certificate, it computes that tuple and tries to find a matching one in the database; if so, it allows the connection. > C. I do the clicks to Add Exception, but it fails: In the Add Security > Exception dialog, the [ ] Permanently store this exception checkbox is > grayed out, and the [ Confirm Security Exception ] button is also > grayed out. I can only click [ Cancel ]. > > I take it this is a Firefox UI bug...? Everything was working as I > expected except (C). I think the button and the checkbox should be > active and should work as normal. It seems like a UI bug to me. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy