Funkcjonalność tej witryny będzie ograniczona w czasie konserwacji. Jeśli artykuł nie rozwiązuje twojego problemu i chcesz zadać pytanie, to nasza społeczność wsparcia jest dostępna na @FirefoxSupport na Twitterze i /r/firefox na Reddicie.

Przeszukaj pomoc

Unikaj oszustw związanych z pomocą.Nigdy nie będziemy prosić Cię o dzwonienie na numer telefonu, wysyłanie SMS-ów ani o udostępnianie danych osobowych. Zgłoś podejrzaną aktywność, korzystając z opcji „Zgłoś nadużycie”.

Więcej informacji

Firefox refuses connection to my own server because of cert pinning

  • 3 odpowiedzi
  • 4 osoby mają ten problem
  • 3 wyświetlenia
  • Ostatnia odpowiedź od cor-el

more options

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error:

An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)

A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself?

For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway.

Thanks for the help.

I am running a web server. In order to make use of ssl, I created my own certificate authority and issued a certificate for my website. I installed the root certificate of my authority in Firefox and trusted it to identify websites. This used to work perfectly, but now I get the following error: An error occurred during a connection to dark.gollum.cat. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der) A bit of research indicates that this is related to certificate pinning. While I understand that certificate pinning is a good thing, how can I do to visit my website with Firefox? I miss a way to add an exception of some sort. How do I tell Firefox that I KNOW the certificate I'm receiving is trusted because I created the certificate myself? For instance, Chrome does give me an error too (by the way, significantly more descriptive and useful than the one Firefox gives), but allows me to bypass it and visit the website anyway. Thanks for the help.

Wszystkie odpowiedzi (3)

more options

See:

security.cert_pinning.enforcement_level
0. Pinning disabled
1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)
2. Strict. Pinning is always enforced.
3. Enforce test mode.
more options

Thanks for your reply @cor-el.

I understand that the default setting is what I need, and I have checked in about:config that my firefox is indeed at the default enforcement level of 1. What I don't see is how am I supposed to tell firefox that my CA is user inserted. I imported the CA root certificate manually into the "autorities" section of the certificate repo, but apparently firefox does not identify it as user inserted, since it is trying to enforce pinning when I visit my website.

So, how do I tell firefox that my certificate is user inserted?

Thanks again.

more options

Best would be to ask experts, either on stackoverflow or via a news group or via IRC.

Zmodyfikowany przez cor-el w dniu