FS#43971 : [nss] HTTP Public Key Pinning (HPKP) broken in all browsers depending on package nss

FS#43971 - [nss] HTTP Public Key Pinning (HPKP) broken in all browsers depending on package nss

Attached to Project: Arch Linux
Opened by Holger (Holger) - Friday, 27 February 2015, 10:57 GMT
Last edited by Evangelos Foutras (foutrelis) - Wednesday, 01 April 2015, 08:17 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Jan de Groot (JGC) Ionut Biru (wonder)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	7 Alad Wenter (Alad) (2015-03-30) bugmenot (bugmenot) (2015-03-12) zless (roentgen) (2015-03-08) Lone_Wolf (Lone_Wolf) (2015-03-06) Aurelieng (aurelieng) (2015-02-28) „0xReki“ (reki) (2015-02-27) Holger (Holger) (2015-02-27)
Private	No

Details

Description:
Upon first visit of a https website that announces which public keys may be used by its domain (optionally including all sub-domains), the announced key hashes are supposed to be stored in the browser. HPKP-supporting browsers like Firefox and Chromium/Chrome do so but on Arch Linux neither of them blocks access to the domain (or one of its sub-domains) when an unannounced public key appears. You can check what hashes are stored in Chromium/Chrome by opening <chrome://net-internals/#hsts>. I'm not sure if the reason for this HPKP-breaking behavior is really in nss but it's the only common package.

Package versions:
nss 3.17.4-1
firefox 36.0-1
chromium 40.0.2214.115-1
(Chrome 40.0.2214.115 extracted from <https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb>)

Steps to reproduce:
Go to <https://projects.dm.id.lv/Public-Key-Pins_test> with FF or Chromium/Chrome.

This task depends upon

Closed by Evangelos Foutras (foutrelis)
Wednesday, 01 April 2015, 08:17 GMT
Reason for closing: Fixed
Additional comments about closing: nss 3.18-3, p11-kit 0.23.1-2

Comment by Lone_Wolf (Lone_Wolf) - Friday, 06 March 2015, 11:07 GMT

Same behaviour with firefox 36.0.1-1

Comment by Jan Alexander Steffens (heftig) - Friday, 27 March 2015, 12:04 GMT

Problem with the p11-kit integration; reverting to stock libnssckbi.so makes HPKP work, but we lose control over the CA certs.

Comment by Evangelos Foutras (foutrelis) - Monday, 30 March 2015, 14:55 GMT

This should be solved with nss 3.18-3 and p11-kit 0.23.1-2 (currently in [testing]).

Comment by Remi Gacogne (rgacogne) - Wednesday, 01 April 2015, 07:24 GMT

I confirm that it's now working in both FF and chromium, thanks!

Arch Linux

FS#43971 - [nss] HTTP Public Key Pinning (HPKP) broken in all browsers depending on package nss

Details

Loading...