[Privoxy-devel] https inspection vs HPKP
Fabian Keil
fk at fabiankeil.de
Wed Jul 22 09:50:29 UTC 2020
Lee <ler762 at gmail.com> wrote:
> Is there a way to tell Firefox to not do certificate pinning if the
> cert comes from my bogus CA?
According to:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
this should happen by default:
| Firefox and Chrome disable pin validation for pinned hosts
| whose validated certificate chain terminates at a user-defined
| trust anchor (rather than a built-in trust anchor). This means
| that for users who imported custom root certificates all pinning
| violations are ignored.
Did you accept a website certificate manually before importing
the CA certificate?
If I remember correctly this can confuse Firefox.
> I just tried
> { +https-inspection }
> .googlevideo.com/
> .youtube.com/
>
> and got
>
> Secure Connection Failed
>
> An error occurred during a connection to www.youtube.com. The server
> uses key pinning (HPKP) but no trusted certificate chain could be
> constructed that matches the pinset. Key pinning violations cannot be
> overridden. Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE
Which Firefox version is this?
I though HPKP was removed in recent versions.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20200722/ef12b756/attachment.bin>
More information about the Privoxy-devel
mailing list