FS#52080 - [firefox] 50.0.2-1 SSL errors behind ssl scanning proxy
Attached to Project:
Arch Linux
Opened by Ido van Verseveld (idovitz) - Thursday, 08 December 2016, 10:54 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 16 April 2018, 23:12 GMT
Opened by Ido van Verseveld (idovitz) - Thursday, 08 December 2016, 10:54 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 16 April 2018, 23:12 GMT
|
Details
From firefox 50+ i got ssl errors on my work-pc:
configuration: firefox 50+ <= proxy 8080 => SOPHOS UTM ssl scanning <= ssl connection => webserver I added a signing proxy CA cert in firefox.. On some sites is ssl going well on some sites: error 1: An error occurred during a connection to accounts.google.com. The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden. Error code: MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE error 2: Normal ssl error about the match cert common vs domain. See attached screenshot (bugs.archlinux.org). I checked the cert, the proxy is generating a valid cert. This is only the case when using a 50+ arch build. Releases Linux/Windows downloaden on mozilla.com are working fine. Is there a certain patch or build option different, causing this? |
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Monday, 16 April 2018, 23:12 GMT
Reason for closing: Fixed
Additional comments about closing: Probably fixed since Firefox 54.
Monday, 16 April 2018, 23:12 GMT
Reason for closing: Fixed
Additional comments about closing: Probably fixed since Firefox 54.
when switching the proxy setting to "no proxy" in firefox, the Firewall is still MITM attacking in a transparent way, all ssl sites are working well.
Additionally, I would like to confirm the pinning errors since 50 hit the repos whilst using a transparent proxy. This occurs for some sites (primarily google.com, and it's other web services like YouTube and GMail are also causing this error). If I don't use the proxy at all (or change enforcement to 0), no problems at all.
What is a bigger problem: I am also experiencing error 2 and our own custom internal CA. The update to FF 50 causes SSL_ERROR_BAD_CERT_DOMAIN errors even though the certificate is matching the URL (FF 49, openssl and epiphany have no problems and verify the certificate as valid). This only occurs on Arch and FF 50, Windows/Debian/Ubuntu builds of FF 50 are fine.
I'm attaching a screenshot where you can see the CN of the certificate matches the web server IP address.
The certificate used is signed by a private CA which is trusted in the browser.
I noticed the erroneous behavior after installing a newly signed certificate as the original certificate was about to expire. Both certificates are signed by the same CA. The problem is present even if I generate a certificate with identical extensions and other fields. The certificates differ only in dates, keys and key IDs and the new one still doesn't work in the current Arch Firefox. The old one works without a problem. We don't use certificate pinning. This happens on all services where I install a new certificate. Old certificates work, the new don't.
The old certificate as well as the current one work in vanilla Firefox binary (downloaded from www.firefox.com as tar archive) and also in Chrome.
EDIT: Attached a better screenshot.
Screenshot_20170104_142634.png (59.4 KiB)
The SAN requirement is a part of CA-Browser Forum Baseline Requirements and it is required since october 2016 (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf chapter 7.1.4.2.1).
It looks like Mozilla has started enforcing the rule in nightly/aurora builds of Firefox some time ago. Maybe it is enabled in the source tarball too.
In any case - the issue 2 was not a bug in my case.
Can someone please test if the Firefox 54.0a2 prerelease at https://pkgbuild.com/~heftig/packages/firefox-developer-edition/ (grab one of the built packages) behaves better in combination with [testing]?