Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE due to proxy self-signed certificate

  • 4 respostas
  • 4 have this problem
  • 18 views
  • Last reply by artu72

more options

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below.

------------------------

SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

------------------------

Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM).

------------------------

Secure Resources All resources on this page are served securely.

Upgrading from Firefox 49 to 50 in Linux i get the message "Secure Connection Failed" with error MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE. I am sure that message is due to the self-signed certificate for HTTPS connections through company proxy. I use CNTLM service since the proxy is using NTLM protocol and I have set "System proxy settings" in Network properties. I have searched for something related to certificates and proxy in the changelog from 49 to 50, but I have found nothing. By the way, Chrome 54 is working properly with the same proxy settings with a security error report that you can find below. ------------------------ SHA-1 Certificate The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. ------------------------ Secure Connection The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and a strong cipher (AES_128_GCM). ------------------------ Secure Resources All resources on this page are served securely.

All Replies (4)

more options

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall.

You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended)

Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment.

I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

more options

jskier said

My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

more options

artu72 said

jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

more options

jskier said

artu72 said
jskier said
My understanding is this has to do with a security vulnerability related to key pinning earlier this fall. You can work (not a fix) around this by changing this key value in about:config: security.cert_pinning.enforcement_level to 0 (not recommended) Strangely, this problem does not happen in Firefox 50 Windows (x64) with enforcement level left at 1 in the same environment. I am having an identical problem, it only happens when I'm using a transparent proxy environment with MITM self signed certificate and in Linux. I have tried a fresh profile, but it still occurs.

Unfortunately, this setting does not solve the problem :( I have Firefox running properly in Windows in the same network environment also.

Here is a screenshot when i try to go to a https site. Http sites are loaded fine, however.

Thank you.

Okay, that is a different error now. Firefox maintains it's own certificate store, which I'm assuming you added the cert for your proxy to? Make sure the trust of that certificate is correct (I had this problem in the past). Also, your proxy needs to support the HSTS header.

Thank you for reply. A question, how can I check the trust of the certificate? About HSTS header, I will ask to sysadm's.