New issue
Advanced search Search tips

Issue 708336 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 707280
Owner: ----
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

HPKP Pinning Doesn't Work in Fedora

Reported by stovep...@gmail.com, Apr 4 2017

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Steps to reproduce the problem:
1. Have a fresh Fedora 24/25/[26 Alpha] install
2. Install Chrome rpm
3. Visit https://pinning-test.badssl.com/
4. The site is presented without warning

What is the expected behavior?
The user is presented with a NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN warning.

What went wrong?
I believe the way root CAs are handled by Fedora is different from the way Ubuntu handles them, thus the detection code for custom CAs doesn't work. There is ongoing discussion of this bug here:

https://bugzilla.redhat.com/show_bug.cgi?id=1207335

If someone from Google could lend a hand with diagnosing the bug, I'm sure the folks at Red Hat would appreciate it.

Chrome->Developer tools->Security says

Public-Key Pinning Bypassed
Public-key pinning was bypassed by a local root certificate.

Did this work before? No 

Chrome version: 57.0.2987.133  Channel: stable
OS Version: Fedora 24/25/26
Flash Version: 

This is really a Fedora bug, but it would be useful if ya'll could help them diagnose the problem so your users on Fedora would be protected.
 
Cc: rsleevi@chromium.org
Components: Internals>Network>DomainSecurityPolicy
Mergedinto: 707280
Status: Duplicate (was: Unconfirmed)
Thanks for the report - we got another one of these recently, so I'll merge and cc some more people.

+rsleevi.
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 29 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment