為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE due to proxy self-signed certificate

  • 4 回覆
  • 4 有這個問題
  • 1 次檢視
  • 最近回覆由 artu72

more options

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below.

------------------------

SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

------------------------

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM).

------------------------

Secure Resources All resources on this page are served securely.

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. ------------------------ SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. ------------------------ Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). ------------------------ Secure Resources All resources on this page are served securely.

所有回覆 (4)

more options

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall.

You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended)

Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment.

I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

more options

jskier said

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

more options

artu72 said

jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

more options

jskier said

artu72 said
jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

Thank you for reply. A question, how can I check the trust of the certificate? About HSTS header, I will ask to sysadm's.