Enable HPKP for internal CA
I know that: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning)
However there are settings that seem to override that and force user-defined CA be checked against hpkp:
The pinning level is enforced by a pref, security.cert_pinning.enforcement_level
0. Pinning disabled 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default) 2. Strict. Pinning is always enforced. 3. Enforce test mode.
(https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)
Tried to set to "3", but that still does not allow certs issued by internal CA to be protected using HPKP: Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored.
Is there a way to force FF to protect internal certs too?
Thanks
gwint द्वारा