Key pinning error on Firefox when SSL-Intercepting

book

Article ID: 166674

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have recently upgraded Firefox to 32.0 (or newer). Your ProxySG has policy to intercept SSL traffic but when you go to some sites using Mozilla (or Chrome), you get an error message like this:

Cause

Like Chrome, Mozilla has a new feature called certificate pinning.

Pinning allows the owner of a web site to determine (on the server side) which certificate has to be present in the certificate chain. If this certificate is present in the current chain, content will be shown, otherwise we get the above error message.

This happens because the SG has to forge certificates in order to perform SSL-Interception - these forged certificates obviously don't match the original certificates on the web site.

Resolution

There are several ways to address this:

  1. Disable SSL-Interception: If we don't have to forge certificates, pinning will work fine.
  2. Disable protocol_detection: If we don't detect protocol, we'll tunnel the connection.
  3. Change a Firefox option: In the address bar, type about:config and press Enter:

Confirm the warning, and you'll be presented with a rather long list of options. In the search box type: pinning

This will show you the option to enforce/enable/disable pinning support. The values mean:

  • 0. Pinning disabled
  • 1. Allow User MITM (pinning not enforced if the trust anchor is a user inserted CA, default)- This option should be used when intercepting SSL traffic (the intercept/root CA certificate must still be installed in the user's browser)
  • 2. Strict. Pinning is always enforced.
  • 3. Enforce test mode.

 

There is no right or wrong way to deal with this - you will need to make the decision which way you will go depending on your company's policies.

Official documentation from Mozilla is available here: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning