Vanwege onderhoudswerkzaamheden die uw ervaring zouden moeten verbeteren, heeft deze website beperkte functionaliteit. Als een artikel uw probleem niet verhelpt en u een vraag wilt stellen, kan onze ondersteuningsgemeenschap u helpen in @FirefoxSupport op Twitter en /r/firefox op Reddit.

Zoeken in Support

Vermijd ondersteuningsscams. We zullen u nooit vragen een telefoonnummer te bellen, er een sms naar te sturen of persoonlijke gegevens te delen. Meld verdachte activiteit met de optie ‘Misbruik melden’.

Meer info

Deze conversatie is gearchiveerd. Stel een nieuwe vraag als u hulp nodig hebt.

Firefox refuses connection to my own server because of cert pinning

  • 3 antwoorden
  • 4 hebben dit probleem
  • 1 weergave
  • Laatste antwoord van cor-el

more options

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error:

An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)

A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself?

For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway.

Thanks for the help.

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error: An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself? For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway. Thanks for the help.

Alle antwoorden (3)

more options

See:

security.cert_pinning.enforcement_level
0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.
more options

Thanks for your reply @cor-el.

I understand that the default setting is what I need, and I have checked in about:config that my firefox is indeed at the default enforcement level of 1. What I don't see is how am I supposed to tell firefox that my CA is user inserted. I imported the CA root certificate manually into the "autorities" section of the certificate repo, but apparently firefox does not identify it as user inserted, since it is trying to enforce pinning when I visit my website.

So, how do I tell firefox that my certificate is user inserted?

Thanks again.

more options

Best would be to ask experts, either on stackoverflow or via a news group or via IRC.

Bewerkt door cor-el op