1156073 - Public Key Pinning is deactivated when the SSL Certificate is invalid

Status: RESOLVED DUPLICATE of bug 1147497

(Firefox :: Untriaged, defect)

Description

[king.jan1999.jr]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150417183332

Steps to reproduce:

1. Set up a website on localhost, add a SSL Certificate with an invalid common name and add public key pinning for this website (My virtualhost config: https://pastebin.mozilla.org/8830630, Certificate: https://pastebin.mozilla.org/8830631 , I removed some personal data. jan-ubuntu.de and ultimo.de are both routed to 127.0.0.1 in /etc/hosts)
2. Open the website and add an exception (I think many users would do so, because they know that the website owner can't afford a certificate or they want the visit the website) 
Result: Something like http://abload.de/img/ff1l4lz1.png ,http://abload.de/img/cert10yxa8.png) 
3. Change the SSL Certificate, use a invalid common name
(Certificate: https://pastebin.mozilla.org/8830632)
4. Open the website again 

I used Firefox Beta (38.0) on Ubuntu (14.10) and a new profile to reproduce this. 


Actual results:

I can add an exception for the website and visit it. (http://abload.de/img/ff2uraq7.png, http://abload.de/img/cert2esb4s.png)
Actually the HTTP-Header is sent both times (http://abload.de/img/pkp1i2yyb.png), but is simply ignored by Firefox.


Expected results:

I am not able to add an exception and Firefox prevents me from visiting the site. (like on the picture: http://abload.de/img/expectedd5ymg.png)

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Hi - thanks for reporting this. We're tracking this in bug 1147497, which is security-sensitive right now, so I'm marking this security-sensitive as well.