Join the Mozilla’s Test Days event from Dec 2–8 to test the new Firefox address bar on Firefox Beta 134 and get a chance to win Mozilla swag vouchers! 🎁

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE due to proxy self-signed certificate

  • 4 답장
  • 4 이 문제를 만남
  • 1 보기
  • 최종 답변자: artu72

more options

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below.

------------------------

SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

------------------------

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM).

------------------------

Secure Resources All resources on this page are served securely.

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. ------------------------ SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. ------------------------ Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). ------------------------ Secure Resources All resources on this page are served securely.

모든 댓글 (4)

more options

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall.

You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended)

Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment.

I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

more options

jskier said

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

more options

artu72 said

jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

more options

jskier said

artu72 said
jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

Thank you for reply. A question, how can I check the trust of the certificate? About HSTS header, I will ask to sysadm's.