Цей вебсайт матиме обмежену функціональність, доки ми проводимо його обслуговування для поліпшення роботи. Якщо прочитана стаття не розв'язала вашу проблему і ви хочете поставити питання, наша спільнота підтримки з радістю допоможе вам на @FirefoxSupport у Twitter та /r/firefox на Reddit.

Avatar for Username

Шукати в статтях підтримки

Остерігайтеся нападів зловмисників. Mozilla ніколи не просить вас зателефонувати, надіслати номер телефону у повідомленні або поділитися з кимось особистими даними. Будь ласка, повідомте про підозрілі дії за допомогою меню “Повідомити про зловживання”

Докладніше

Ця тема перенесена в архів. Якщо вам потрібна допомога, запитайте.

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE due to proxy self-signed certificate

  • 4 відповіді
  • 4 мають цю проблему
  • 1 перегляд
  • Остання відповідь від artu72

artu72
artu72
more options

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. 

------------------------

SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. 

------------------------

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). 

------------------------

Secure Resources All resources on this page are served securely.

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. ------------------------ SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. ------------------------ Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). ------------------------ Secure Resources All resources on this page are served securely.

Усі відповіді (4)

jskier
jskier
more options

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall.

You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended)

Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment.

I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

artu72
artu72 Власник питання
more options

jskier said

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

jskier
jskier
more options

artu72 said

jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

artu72
artu72 Власник питання
more options

jskier said

artu72 said
jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

Thank you for reply. A question, how can I check the trust of the certificate? About HSTS header, I will ask to sysadm's.