[Privoxy-devel] https inspection fail
Lee
ler762 at gmail.com
Sun Aug 2 09:27:58 UTC 2020
On 7/22/20, Lee <ler762 at gmail.com> wrote:
> On 7/22/20, Fabian Keil <fk at fabiankeil.de> wrote:
>> Lee <ler762 at gmail.com> wrote:
Should we be keeping a list of reasons why https inspection might fail?
My latest shot to the foot with Firefox:
network.security.esni.enabled set to TRUE
DoH enabled
https-inspection fails
change
network.security.esni.enabled set to FALSE
https-inspection works
Lee
>>> Is there a way to tell Firefox to not do certificate pinning if the
>>> cert comes from my bogus CA?
>>
>> According to:
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
>> this should happen by default:
>>
>> | Firefox and Chrome disable pin validation for pinned hosts
>> | whose validated certificate chain terminates at a user-defined
>> | trust anchor (rather than a built-in trust anchor). This means
>> | that for users who imported custom root certificates all pinning
>> | violations are ignored.
>
> Right. I shot myself in the foot - I had this bit in my user.js
> // security.cert_pinning.enforcement_level
> // 0. Pinning disabled
> // 1. Allow User MITM (pinning not enforced if the trust anchor is
> a user inserted CA, default)
> // 2. Strict. Pinning is always enforced.
> // 3. Enforce test mode.
> user_pref("security.cert_pinning.enforcement_level", 2);
>
> Set it back to a 1 and youtube works again
>
> Lee
>
More information about the Privoxy-devel
mailing list