[Sportsfan]

The latest A. Kalla build (2.46) for 32-bit Windows does not pass the certificate pinning test at https://pinning-test.badssl.com/ Firefox 49.0 does pass (site blocked with warning) but Firefox 48 did not pass. Does this mean the recently disclosed Firefox certificate pinning flaw (article here) is not fixed in this SM build?

[barbaz]

What is the value of about:config > security.cert_pinning.enforcement_level ?

[therube]

What should happen when you go to that site?
Should it fail to load with a "Secure Connection Failed", "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE" message?

[frg]

0 in SeaMonkey. 1 in Firefox. If you set it to 1 SeaMonkey behaves like Firefox so fixed but the default might need an additional adjustment.

[Sportsfan]

The value was 0. When I set it to 1, the test site worked correctly.

Thanks to all for the info.

(Test site should show "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE")

[rsx11m]

What exactly is that "pinning" doing? Apparently it's initializied with 0 by default on purpose per bug 1019259 and needs to be enabled explicitly by each application. A quick search with https://dxr.mozilla.org/comm-central/se ... rect=false shows that some applications are setting it to 1 (including Firefox, but it's 2 for b2g), which applies to instant messaging (im/) in comm-central only. I don't see anything set for either mail/ or suite/ (so, should it?).

Edit: Callek's post (comment #1) in that bug report gives some background, but there seems to be some legalese involved, whatever that SLA is.

[therube]

? Service-level agreement (SLA)

[rsx11m]

I've filed bug 1305902 to keep this on the radar.