New issue
Advanced search Search tips

Issue 702903 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Apr 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
HPKP-Bricking


Sign in to add a comment

Problem uodate new HPKP certificate

Reported by r.daru...@gmail.com, Mar 18 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36

Steps to reproduce the problem:
We specify a max-age greater than the expiration date of the certificate and HPKP policy on header. 
we change certificate because it expired and cannot load again the page.

What is the expected behavior?
show the website

What went wrong?
browser are validating a pin-sha256 last certificate

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 57.0.2987.98  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 25.0 r0

that problem are on this site: https://www.tanner.cl
sslHPKPerror.png
20.5 KB View Download

Comment 1 by mattm@chromium.org, Mar 20 2017

Components: Internals>Network>DomainSecurityPolicy
Labels: Needs-Feedback
Let me see if I understood your report:
1. You set a HPKP header with a long max-age time that is still valid.
2. You switched certificates on the site and the new certificate spki hash isn't present in the old HPKP header.
3. Anyone who got the old HPKP header cannot access the site.

Is that correct? It sounds like HPKP is working as intended. Could you be more specific about what you think the bug in Chrome is?

Comment 2 by csharrison@chromium.org, Apr 5 2017 

ping r.daruich@. Can you please respond to #1?

Comment 3 by lgar...@chromium.org, Apr 5 2017

Status: WontFix (was: Unconfirmed)
Indeed, this looks likes it's very much working as intended.

Sign in to add a comment