User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160922113459 Steps to reproduce: Updated a website certificate using a NEW private key, which means a new HSTS pin required. Actual results: Website updated OK Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE But Chrome works OK Expected results: Firefox should have option to delete out of date pin, and restart the pin learning process. At the moment there seems to be no UI (not in history etc) to do this in any reasonable way. It's quite likely that a new cert will involve a new private key (if you're being secure, that is). Timeouts are typically long. In the end I had to mess about and manually edit SiteSecurityServiceState.txt to remove the old record per this https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/ Then it was OK!
The issue is that there's no user-friendly way to modify collected hpkp state in the browser. We could build some ui for this.
A couple more points: - Current Apple Safari like Chrome handles this correctly (without user intervention) - I think the reported error is actually wrong. "The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset." This is not true. There is a valid certificate chain, it's just that the browser is not using the current pin, it's sticking to the older one, and not replacing it with the current one. Fix this, and you don't need a UI to handle the situation.
(In reply to keynet from comment #0) > Actual results: > > Website updated OK > Firefox fails with MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE I think it's right. > But Chrome works OK Maybe you did not reload this page to bypass the cache? I see this situation through use the https://chrome.google.com/webstore/detail/pinpatrol/jenmooahjheolakpacikdlloalfaihef/ and distort the dynamic_spki_hashes to simulate it. Chrome also provides an error page, default report the invalid cases (Firefox does it but not by default), and does not allow it to be overwritten. > Expected results: > > Firefox should have option to delete out of date pin, and restart the pin > learning process. At the moment there seems to be no UI (not in history etc) > to do this in any reasonable way. It's quite likely that a new cert will > involve a new private key (if you're being secure, that is). Timeouts are > typically long. I think it will violate the HPKP / HSTS rules and increase the user's risk for misuse. > In the end I had to mess about and manually edit > SiteSecurityServiceState.txt to remove the old record per this > https://linux-audit.com/deleting-outdated-hpkp-key-pins-in-firefox/ > > Then it was OK! https://addons.mozilla.org/firefox/addon/enforce-encryption/ and future add-ons that works like the PinPatrol for Chrome. I don't think it is a necessary UI for general user, because it is a security sensitive and rare demand.
Severity: normal → enhancement
Component: Preferences → Security
You need to log in before you can comment on or make changes to this bug.