Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Este site está com funcionalidades limitadas enquanto realizamos manutenção para melhorar sua experiência de uso. Se nenhum artigo resolver seu problema e você quiser fazer uma pergunta, nossa comunidade de suporte pode te ajudar em @FirefoxSupport no Twitter e /r/firefox no Reddit.

Pesquisar no site de suporte

Evite golpes de suporte. Nunca pedimos que você ligue ou envie uma mensagem de texto para um número de telefone, ou compartilhe informações pessoais. Denuncie atividades suspeitas usando a opção “Denunciar abuso”.

Saiba mais

Esta discussão foi arquivada. Faça uma nova pergunta se precisa de ajuda.

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE due to proxy self-signed certificate

  • 4 respostas
  • 4 têm este problema
  • 1 exibição
  • Última resposta de artu72

more options

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below.

------------------------

SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

------------------------

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM).

------------------------

Secure Resources All resources on this page are served securely.

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. ------------------------ SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. ------------------------ Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). ------------------------ Secure Resources All resources on this page are served securely.

Todas as respostas (4)

more options

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall.

You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended)

Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment.

I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

more options

jskier said

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

more options

artu72 said

jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

more options

jskier said

artu72 said
jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

Thank you for reply. A question, how can I check the trust of the certificate? About HSTS header, I will ask to sysadm's.