diff --git a/.cirrus.yml b/.cirrus.yml
index fa2ee22..e0ce7f5 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -206,6 +206,42 @@ task:
   depends_on:
     - "Compile Go latest linux amd64"
 
+task:
+  name: "firefox $CI_CHANNEL windows"
+  compute_engine_instance:
+    image_project: windows-cloud
+    image: family/windows-2022
+    platform: windows
+    cpu: 1
+    memory: 2G
+  choco_script:
+    - powershell -ExecutionPolicy Unrestricted -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\\chocolatey\\bin\\"
+  install_script:
+    - SET "PATH=%PATH%;%ALLUSERSPROFILE%\\chocolatey\\bin\\"
+    - choco install %CI_PACKAGE% --yes --pre
+    - curl -o pkcs11mod.tar.gz --location https://api.cirrus-ci.com/v1/artifact/build/%CIRRUS_BUILD_ID%/Compile%%%%20Go%%%%20latest%%%%20windows%%%%20%GOARCH%/binaries/dist/pkcs11mod.tar.gz
+    - tar -xf pkcs11mod.tar.gz
+  test_script:
+    - SET PATH=%PATH%;%cd%
+    - powershell -ExecutionPolicy Unrestricted -File "testdata/ci-firefox-tests.ps1"
+  matrix:
+    - env:
+        GOARCH: "amd64"
+        CI_CHANNEL: "Nightly"
+        CI_PACKAGE: "firefox-nightly"
+        CI_MAIN_MODULE: "C:\\Program Files\\Firefox Nightly\\nssckbi.dll"
+        CI_BAK_MODULE: "C:\\Program Files\\Firefox Nightly\\nssckbi.orig.dll"
+        CI_MAIN_EXE:  "C:\\Program Files\\Firefox Nightly\\firefox.exe"
+    - env:
+        GOARCH: "amd64"
+        CI_CHANNEL: "ESR"
+        CI_PACKAGE: "firefoxesr"
+        CI_MAIN_MODULE: "C:\\Program Files\\Mozilla Firefox\\nssckbi.dll"
+        CI_BAK_MODULE: "C:\\Program Files\\Mozilla Firefox\\nssckbi.orig.dll"
+        CI_MAIN_EXE:  "C:\\Program Files\\Mozilla Firefox\\firefox.exe"
+  depends_on:
+    - "Compile Go latest windows amd64"
+
 task:
   name: "gnutls-cli"
   container:
diff --git a/pkcs11mod.go b/pkcs11mod.go
index 961c8a7..d1d2047 100644
--- a/pkcs11mod.go
+++ b/pkcs11mod.go
@@ -39,14 +39,17 @@ var logfile io.Closer
 var backend Backend
 
 func init() {
-	f, err := os.OpenFile(os.Getenv("HOME")+"/pkcs11mod.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+	dir, err := os.UserConfigDir()
 	if err != nil {
-		log.Printf("error opening file (will try fallback): %v", err)
-		f, err = os.OpenFile("./pkcs11mod.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+		log.Printf("error reading config dir (will try fallback): %v", err)
+		dir = "."
 	}
+
+	f, err := os.OpenFile(dir+"/pkcs11mod.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
 	if err != nil {
 		log.Printf("error opening file (will try fallback): %v", err)
-		f, err = os.OpenFile(os.Getenv("APPDATA")+"/pkcs11mod.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
+		dir = "."
+		f, err = os.OpenFile(dir+"/pkcs11mod.log", os.O_RDWR|os.O_CREATE|os.O_APPEND, 0600)
 	}
 	if err != nil {
 		log.Printf("error opening file (will fallback to console logging): %v", err)
diff --git a/testdata/assert-proxy-log.bash b/testdata/assert-proxy-log.bash
index c64f1fc..6d7cc38 100755
--- a/testdata/assert-proxy-log.bash
+++ b/testdata/assert-proxy-log.bash
@@ -11,14 +11,15 @@ then
     exit 1
 fi
 
-if [[ -e "$HOME/pkcs11mod.log" ]]
+if [[ -e "$HOME/.config/pkcs11mod.log" ]] || [[ -e "./pkcs11mod.log" ]]
 then
     RESULT="present"
 else
     RESULT="missing"
 fi
 
-rm -f "$HOME/pkcs11mod.log"
+rm -f "$HOME/.config/pkcs11mod.log"
+rm -f "./pkcs11mod.log"
 
 if [[ "$RESULT" != "$DESIRED" ]]
 then
diff --git a/testdata/assert-proxy-log.ps1 b/testdata/assert-proxy-log.ps1
new file mode 100755
index 0000000..e9a5570
--- /dev/null
+++ b/testdata/assert-proxy-log.ps1
@@ -0,0 +1,28 @@
+param (
+  $desired
+)
+
+$ErrorActionPreference = "Stop"
+
+if ( ("$desired" -ne "present" ) -and ( "$desired" -ne "missing" ) ) {
+    Write-Host "Invalid DESIRED value; should be present or missing"
+    exit 1
+}
+
+if ( ( Test-Path -Path "$Env:APPDATA/pkcs11mod.log" ) -Or ( Test-Path -Path "./pkcs11mod.log" ) ) {
+    $result="present"
+}
+else {
+    $result="missing"
+}
+
+Remove-Item -Force -ErrorAction SilentlyContinue "$Env:APPDATA/pkcs11mod.log"
+Remove-Item -Force -ErrorAction SilentlyContinue "./pkcs11mod.log"
+
+if ( "$result" -ne "$desired" ) {
+    Write-Host "Log test failed"
+    Write-Host "Got $result, wanted $desired"
+    exit 1
+}
+
+exit 0
diff --git a/testdata/ci-exports-tests.ps1 b/testdata/ci-exports-tests.ps1
index d132255..7a724ad 100644
--- a/testdata/ci-exports-tests.ps1
+++ b/testdata/ci-exports-tests.ps1
@@ -1,3 +1,5 @@
+$ErrorActionPreference = "Stop"
+
 Write-Host "Checking pkcs11proxy..."
 
 if ( ( .\Dependencies.exe -exports .\pkcs11proxy.dll | Select-String -Pattern "C_GetFunctionList" -SimpleMatch -Quiet ) -ne $true ) {
diff --git a/testdata/ci-firefox-tests.ps1 b/testdata/ci-firefox-tests.ps1
new file mode 100755
index 0000000..9cdff2b
--- /dev/null
+++ b/testdata/ci-firefox-tests.ps1
@@ -0,0 +1,93 @@
+$ErrorActionPreference = "Stop"
+
+Write-Host "===== Default System CKBI ====="
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "www.namecoin.org" -desired "success"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "missing"
+If (!$?) {
+  exit 222
+}
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "untrusted-root.badssl.com" -desired "fail"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "missing"
+If (!$?) {
+  exit 222
+}
+
+Write-Host "===== Deleted System CKBI ====="
+
+Move-Item -Path "$Env:CI_MAIN_MODULE" -Destination "$Env:CI_BAK_MODULE"
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "www.namecoin.org" -desired "fail"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "missing"
+If (!$?) {
+  exit 222
+}
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "untrusted-root.badssl.com" -desired "fail"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "missing"
+If (!$?) {
+  exit 222
+}
+
+# TODO: No env var, -desired "missing" default target
+
+# TODO: Env var pointing to -desired "missing" target
+
+Write-Host "===== System CKBI via pkcs11proxy ====="
+
+$Env:PKCS11PROXY_CKBI_TARGET = "$Env:CI_BAK_MODULE"
+Copy-Item pkcs11proxy.dll -Destination "$Env:CI_MAIN_MODULE"
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "www.namecoin.org" -desired "success"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "present"
+If (!$?) {
+  exit 222
+}
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "untrusted-root.badssl.com" -desired "fail"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "present"
+If (!$?) {
+  exit 222
+}
+
+Write-Host "===== System CKBI via p11proxy ====="
+
+$Env:P11PROXY_CKBI_TARGET = "$Env:CI_BAK_MODULE"
+Copy-Item p11proxy.dll -Destination "$Env:CI_MAIN_MODULE"
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "www.namecoin.org" -desired "success"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "present"
+If (!$?) {
+  exit 222
+}
+
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/try-firefox-connect.ps1" -server_host "untrusted-root.badssl.com" -desired "fail"
+If (!$?) {
+  exit 222
+}
+& "powershell" "-ExecutionPolicy" "Unrestricted" "-File" "testdata/assert-proxy-log.ps1" -desired "present"
+If (!$?) {
+  exit 222
+}
diff --git a/testdata/try-firefox-connect.ps1 b/testdata/try-firefox-connect.ps1
new file mode 100755
index 0000000..f991151
--- /dev/null
+++ b/testdata/try-firefox-connect.ps1
@@ -0,0 +1,38 @@
+param (
+  $server_host,
+  $desired
+)
+
+$ErrorActionPreference = "Stop"
+
+Write-Host "$server_host"
+
+if ( ("$desired" -ne "success" ) -and ( "$desired" -ne "fail" ) ) {
+    Write-Host "Invalid DESIRED value; should be success or fail"
+    exit 1
+}
+
+# Nuke whatever cached state might exist...
+Remove-Item -Recurse -Force -ErrorAction SilentlyContinue "$Env:APPDATA/Mozilla"
+
+& "$Env:CI_MAIN_EXE" --screenshot "https://$server_host"
+Start-Sleep -seconds 10
+Stop-Process -Name "firefox" -ErrorAction SilentlyContinue
+Start-Sleep -seconds 5
+
+if ( Test-Path -Path "screenshot.png" ) {
+    $result = "success"
+}
+else {
+    $result = "fail"
+}
+
+Remove-Item -Force -ErrorAction SilentlyContinue "screenshot.png"
+
+if ( "$result" -ne "$desired" ) {
+    Write-Host "TLS test failed"
+    Write-Host "Got $result, wanted $desired"
+    exit 1
+}
+
+exit 0