Closed Bug 1074195 Opened 10 years ago Closed 4 years ago

"Remember this decision" option in "User Identification Request" (client-side cert authentication) dialog does not work

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
32 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 634697

People

(Reporter: david.balazic, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-clientauth])

Attachments

(1 file)

userIdentificationRequest.png
69.20 KB, image/png
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

Visit a HTTPS site that requires a client certificate.
Select the certificate from the list in the "User Identification Request", uncheck the "Remember this decision" option.
Visit another URL with the same hostname.


Actual results:

Page loads with no prompt.


Expected results:

The second URL should ask for the certificate to be selected again, as "Remember this decision" was not selected.


Basically, regardless of the checkbox state of the "Remember this decision" option, the choice is always remembered.

This used to work in older versions.
Component: Untriaged → Security
Component: Security → Security: UI
Product: Firefox → Core
Summary: "Remember this decision" option in "User Identification Request" dialog does not work → "Remember this decision" option in "User Identification Request" (client-side cert authentication) dialog does not work
I want Firefox to remember to use my hardware token certificate, but it's not remembering, and instead giving me the same dialog box every time I restart the browser and go to the protected page.
Screenshot of the bane of my existence.
(In reply to Penelope Fudd from comment #2)
> Created attachment 8558569 [details]
> userIdentificationRequest.png
> 
> Screenshot of the bane of my existence.

Can either you or David run mozregression ( http://mozilla.github.io/mozregression/ ) to figure out when this broke?

(I normally help do this kind of thing myself, but I don't have a setup involving client-side certs, so it's difficult to do this myself without spending several days trying to get this kind of thing set up)

Also CC'ing :keeler and :bsmith in case they have ideas about why/when this broke...
Flags: needinfo?(david.balazic)
Flags: needinfo?(bugzilla.mozilla.org)
Do you know how to get mozregression to preload a personal certificate and run firefox twice?
Flags: needinfo?(bugzilla.mozilla.org)
(In reply to Penelope Fudd from comment #4)
> Do you know how to get mozregression to preload a personal certificate and
> run firefox twice?

You can specify a Firefox profile directory/path to use with the --profile option.

I'd recommend creating a new profile for testing (so that your testing doesn't mess with your main Firefox profile) using steps from https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles . You can find out its path by going to "about:support" (Help > Troubleshooting Information) and clicking the button next to "Profile Folder".

Thanks for helping!
Flags: needinfo?(bugzilla.mozilla.org)
It never did that (AFAIK) and is not designed to work that way.
This is unrelated to this bug.
(In reply to Penelope Fudd from comment #1)
> I want Firefox to remember to use my hardware token certificate, but it's
> not remembering, and instead giving me the same dialog box every time I
> restart the browser and go to the protected page.

The above coment #6 was meant as a replay to comment #1 , somehow it was misquoted... sorry for spam
Flags: needinfo?(david.balazic)
You mean firefox has never remembered the decision to use the hardware token, even though it's got a checkbox for it?

This problem also happens when I use a certificate.  If it wasn't designed to do that either, then I'm at a loss for what it was designed to do.  It's as if the checkbox did nothing.
Flags: needinfo?(bugzilla.mozilla.org)
It remembers the choice for the duration of the session. If you exit and restart Firefox, it will ask again.
It remembers until you close Firefox.
That is how it works (or worked) for "software" certificates, I don't use hardware tokens, so can't say how it worked with them.
David, did you ever have any luck reproducing this with mozregression? Is this bug still affecting you with newer versions?
Flags: needinfo?(david.balazic)
It is still the same with 41.0.1 (tried with a fresh profile).
Did not do the mozregression thing yet.
Flags: needinfo?(david.balazic)
Thanks for the reply. Given the difficulty in reproducing the issue, getting a good regression range is probably the best chance we have of tracking down the problem here. I appreciate your willingness to do help :)
Hi David, we're still interested in a regression range here if you're able to hunt it down. Let me know if you need any assistance with getting mozregression working and I'd be happy to help.
Flags: needinfo?(david.balazic)
WFM on Fx41.0 with https://www.bennish.net/certs/, it re-prompt to certificate when Ctrl+F5 to reload the page (https://www.bennish.net/certs/login/), although it is not a second URL. However, it seems forced remember the cancellation, I got the "Access Denied!" if once cancel it, Ctrl+F5 does not purge the cache.
Blocks: clientauth
It seems the selection is remembered for the length of the SSL session?
No matter what URL I open on the same site, it does not ask again for the certificate.

ctrl-F5 on the other hand asks for it.

Client certificate handling is chaotic anyway, what happened to the project aiming to improve it? (that is bug 511384 )
Flags: needinfo?(david.balazic)
(In reply to :Gijs Kruitbosch from comment #3)
> (I normally help do this kind of thing myself, but I don't have a setup
> involving client-side certs, so it's difficult to do this myself without
> spending several days trying to get this kind of thing set up)

The mentioned URL can be used for testing. You can also get a certificate there: https://www.bennish.net/certs/
Can you try using mozregression ( http://mozilla.github.io/mozregression/ ) to narrow down how this broke? At the moment I do not have time to do this for you.
Flags: needinfo?(david.balazic)
Hi David,

I've created a certificate using the link you provided in comment 16, but I'm not sure what I have to do next. Can you please provide more details on how to reproduce this issue? Or can you provide another link where I could create a certificate and try to reproduce this issue? I'm willing to perform a regression window, but I'm not sure how to reproduce this issue.

Thanks,
Paul.
After you install the certificate, open this page: https://www.bennish.net/certs/login/
The client certificate selection dialog should appear.

But with Firefox 44.0.2 the situation has changed. Now it is the opposite: The certificate selection is not remembered at all. That is: for each part of the page (like css, images, external JS) it will show the certificate selection dialog. (provided each time the user deselects the "Remember this decision" option)

Ideally, the user would select a client certificate on first access and then that would be used ("remembered") until the user changes his mind ("logs out") - there is an old bug report for that...
Hi David,

I've partially managed to reproduce this on the latest release(44.0.2) and latest Nightly(47.0a1). After creating a certificate using the link from comment 16, I opened the page provided in comment 19, uncheck "Remember this decision" and click "OK". I was logged in, in a new tab, and after I've closed it, I was able to re-log in again without needing to select a certificate. This happens only if you click on the link from comment 19 very quickly from when you close the previous logged in tab. But if you wait about 10-15 seconds before clicking again on the log in link from comment 19, Firefox will ask you to provide a certificate, and again you have the option to check or uncheck the "Remember this decision" check box.

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160303030253

I went back as far as Firefox 5 and it has the same behavior as the latest builds. David, can you please provide a Firefox version where this worked correctly?  I believe Firefox had this behavior from the beginning, therefor this issue does not need a regression window.

Also, Firefox reproduces this issue but only if you manage to re-log in very quickly. If you wait a few seconds before re-logging, this issue is not reproducible anymore. Can you please confirm if you encounter the same behavior? Or if not, can you please provide how Firefox behaves? It may be a case like, in the previous versions, you waited a few seconds before re-logging back in, and now you do it very quickly, therefor noticing this bug.

Thanks,
Paul.
That is strange.
I also went to https://www.bennish.net/certs/ and like you said, repeatedly clicking the login link will not ask for the certificate again, even if the "remember" option was off.

This is weird, because if I load a SSL page that has embedded images and CSS (from the same server), it will ask me to select a certificate for each of them, even if all happens in the same second.
Unfortunately the https://www.bennish.net/certs/login/ page has no such items, so you can't test that there.
Flags: needinfo?(david.balazic)
Hi David,

Could you provide such a link so I can test this on my end as well? Also, did you encounter the same behavior as me when re-log in (https://www.bennish.net/certs/login/) after you wait a few seconds? Could you point to a build that worked correctly? If not, I believe is safe to remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.
Flags: needinfo?(david.balazic)
(In reply to Paul Pasca[:PoollyMcklayn] from comment #22)
> Could you provide such a link so I can test this on my end as well?

No, but in bug 1231406 there is an example of SSL server that can be set up in 5 minutes.
Just add this to the JSP file:


<img src="sss.jpg">
<img src="sss1.jpg">
<img src="sss2.jpg">
<img src="sss3.jpg">
<img src="sss4.jpg">
<img src="sss5.jpg">
<img src="sss6.jpg">
<img src="sss7.jpg">


> Also,
> did you encounter the same behavior as me when re-log in
> (https://www.bennish.net/certs/login/) after you wait a few seconds?
I tried it again and it is very strange. If I refresh the page with F5, it asks me again each time for the certificate selection, but not always. Like 9 times out of ten times it asks for it, but once it does not. Clicking the link on the other hand most of the time does not ask for certificate selection.

So it seems sometimes it asks, sometimes it doesn't.

It is the same with the test case above. There is the HTML document itself and 8 embedded images, so 9 http GET commands in total. I tried to load it and it asks for the the certificate only 6 times instead of 9 times. So something is definitely wrong.

(every time in the dialog I deselect the "Remember this decision" check box)

I'll look for a last working build later...
OOPS!

Sorry, I had the option security.ssl.disable_session_identifiers enabled (see bug 1231406).

Now I cleared it and the status is: as described in the original report

As for the https://www.bennish.net/certs/ site: sometimes I get the dialog after pressing F5, even if I do it quickly several times in succession.

The local setup mentioned above with embedded images: it never asked for the cert again. I pressed F5 and ctrl-F5 many times.

A note for the testcase with tomcat: use this line in server.xml as the specified one uses OpenSSL which has a bug:

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="want" keystoreFile="keystore.jks" keystorePass="changeit" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="CAs.ssl" truststorePass="changeit"/>

(you'll have to convert the certificate files to the Java JKS format...)
Hi David,

I'm unable to set up a SSL server at the moment, but I will mark this issue as New, since is still reproducible on the latest Firefox versions. As previously mentioned in comment 20, I was not able to find a Firefox version on which this worked correctly. When you have time, can you please provide a good version so I can perform a regression on this issue? If not, at least we can remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(david.balazic)
Component: Security: UI → Security: PSM
Whiteboard: [psm-backlog]
Keywords: regression, regressionwindow-wanted
Priority: -- → P3
Whiteboard: [psm-backlog] → [psm-clientauth]

I have the problem that Yahoo is asking for a certificate but I don't have any and I don't have to. Thunderbird gives the option to supply certificates for other accounts (listed in the drop down menu). There should also be the option not to supply any certificate. I am being spammed by Thunderbird that I need to supply certificate for Yahoo IMAP.

This is fixed now (firefox nightly 81), see bug 634697

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: