1329553 - Key pinning subdomain

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[Max Weiss]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305021524

Steps to reproduce:

Issue is detailed at:  https://www.reddit.com/r/firefox/comments/5mv6jo/subdomain_key_pinning_and_certificate_issues/

I run a website, which I use Let's Encrypt for. I have a handful of subdomains included in my main @ certificate, and then I have different keys and certs for other subdomains that I made later and hadn't thought to include in the original.

Each of the subdomains, even if they have the same cert, all have a separate apache config, in which I specify among other things, the key pinning header, which has the correct certificate pin, and which does NOT have includesubdomains (for obvious reasons).


Actual results:

When visiting the common/alternate names for the @ cert, I get the "key pinning failure" error, because Firefox is seeing that the cert is for @ and it seems to be ignoring the fact that it lists common/alternate subdomain names.  So any subdomains in the main @ certificate get the error, while subdomains with different certificates are accepted and the page loads.


Expected results:

The certificate is valid for the @ cert subdomains and the key pin is correct for the cert, thus even though the "includesubdomains" header is not set, the @ cert subdomains should still be valid when visited, because they each individually have a valid cert and key pin header.

Comment 1

[Max Weiss]

When filing this report, I have an addon set to spoof the version, for privacy reasons, so the website here flagged the report as applicable for the version 36 branch.  I am in fact using version 50 in Linux.

Comment 2

[Max Weiss]

After more testing, it appears that this was an issue with my apache configuration.  I triple-checked that before deciding it really was a bug, but alas, apparently I needed to quadruple check.  I apologize for wasting everybody's time.