Closed Bug 1412801 Opened 7 years ago Closed 7 years ago

i'm italian, i've strange authentication problems on public administration portals with smart card

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1396030

People

(Reporter: scncld66, Unassigned)

Details

Attachments

(14 files)

errore handshake TLS Mozilla at INPS.png
189.79 KB, image/png
Details
setp 1
377.53 KB, image/jpeg
Details
login2.jpg
405.83 KB, image/jpeg
Details
step 3
341.99 KB, image/jpeg
Details
step 4
414.09 KB, image/jpeg
Details
step 5
394.63 KB, image/jpeg
Details
step 6
213.04 KB, image/jpeg
Details
step 7 ... the last step ... i lost patience !!!
393.86 KB, image/jpeg
Details
crash firefox report.jpg
217.94 KB, image/jpeg
Details
crash report mozilla firefox.txt
115.38 KB, text/plain
Details
FF crash, no link supplied after this.png
83.60 KB, image/png
Details
LOG - crash firefox - last 20171108_160000.txt
106.17 KB, text/plain
Details
crash firefox - last 20171108_163000.txt
100.99 KB, text/plain
Details
certification authority test page with internet explorer.png
61.93 KB, image/png
Details 
User Agent: Mozilla/5.0 (Windows NT 10.0; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171024165158

Steps to reproduce:

Excuse me for my bad english ..
I'm a fireman and the department gave me a card ... card work fine with internet explorer and i can access to all portals of italian government (card have also digital sign)
1. browsing web with Mozilla and smart card login cause a problem ...
2. preliminary login allow navigation - i operate this: menu OPTIONS> PRIVACY & SECURITY> SECURITY DEVICES> 
and on the left column MODULES AND SECURITY DEVICES, i choose the device
ARUBA_ATE> ATE>  (these are my device and card)
thus i have login (after this, i've login to the portals...!!!)


Actual results:

1. operate as the previous point 1, it freeze all (navigation) on login to a public administration portal ... see image attached file ... it freeze all on executing TLS handshake at ...
2. operate as the previous point 2, with preliminary login to the card, Firefox allow acces to the portals ... (I can't post more of 1 image ... i've other picture of me logged in to the portals...)


Expected results:

have login by normal browsing
normal browsing do not allow login ... login by normal browsing will cause freeze all browsing (new tab or new sites) ... browser do not crash, i have access to option and other menù ...
With internet explorer i have regulary login to the portals, so card and certificates are fine !!!
by deactivate Kaspersky Antivirus and delete all cookies and temporary file the problem still the same...
How can i post more pictures ? Thanks.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Thank you for filing this bug. A few questions:

Does your device do protected authentication? That is, does it provide its own window that you use to log in or do you just type a password/pin into a window that Firefox opens?

When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up?

Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging?

Thanks!

You should be able to add more attachments (pictures) by clicking the "Attach File" link above comment 0.
Flags: needinfo?(scncld66)
Many thanks to you and excuse me for my bad english...
- Does your device do protected authentication? RE: yes, i've to digit a PIN
- When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up? RE: No, i can operate menù, add new tabs ecc... however navigation freeze ... i can't acces to other website ... also in a new tab or window.
- Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging? RE: no, i've no message or report ... the browser freezes for a long time so i close the browser ... Now I will keep open browser for more time than I'll let you know....
I try to attach pictures files step by step on freeze (normal login) procedure ... I hope they are useful
Thank you again
Flags: needinfo?(scncld66)
Attached image setp 1 
step1 - login to the portal
Attached image login2.jpg 
step 2 - choice of login method, password, pin or smartcard ... then login
Attached image step 3 
step 3 - PIN request
Attached image step 4 
step 4 - Choice of certificate... the only one possible and the right one !!!
Attached image step 5 
step 5 - TLS handshake and browser freezing !!! no navigation !!!
Attached image step 6 
step 6 - add new tab ... also in the new tab navigation is freezed ...
browser UI is ok !!! .. now i'm waiting for a message or a report ...
step 7 - 30 minutes later the browser still frozen ... then i close the window and the browser ... No error message and no report !!!!
these are the steps of my attempt to login ...
thank you very much....
hi there ...
I managed to make a video of my screen, where it shows the preliminary login and the next access to the portal !!!
you can find the video here ... http://www.scandella.org/login.m4v
thank you very much ....
Thanks! In that video, it seems you have two PKCS#11 modules loaded - one called "Aruba_Ate" and another called "Athena PKCS#11 Module". Are you sure you need both of those? It looks like they might be managing the same physical device ("Generic Usb Smart Card Reader 0"), which could cause problems. Maybe try removing the "Athena" module? (although first make a note of its path so you can add it back if necessary)
Flags: needinfo?(scncld66)
Athena PKCS#11 Module is another module ... it's needed for another CNS card of the National Medical Service ...
now I'm going to remove it, then i do a reset of my PC then i try again to login ...

Thank you...
Flags: needinfo?(scncld66)
i confirm that, removing the module my new smartcard work fine !!!! ... i've login....
i try'd to load the module and assign it a different name but the problem still again...
the only one way is remove the module ...

why appears module conflict ???
why the module conflict freeze Firefox navigations ? ... also the one in a new tab ???
how can i avoid module conflict ?

why on internet explorer no problems appear than Firefox ?
can Firefox developers optimize the code ?

Thanks...
Without knowing what specifically is causing the lockup, it would be hard to fix. One thing you could try is to get Firefox to freeze again and then following the steps at https://superuser.com/questions/678054/force-firefox-to-crash-or-trick-firefox-into-thinking-it-has-crashed-on-windows#answer-678426 to make Firefox crash (note that this will crash firefox, so save all of your work first). Then, after opening up Firefox again there should hopefully be a link in about:crashes that may tell me more about what's going on.

I believe Internet Explorer uses the underlying OS-level APIs, so it avoids using these libraries alltogether, so it works better.
Flags: needinfo?(scncld66)
I tried to perform the forced Mozilla Firefox crash ...

Taskkill /IM firefox.exe /F does not work .... Firefox recover perfectly the session and the opened tabs ...

The Mozilla tool at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe  work fine ...

I'm going to post the generated report file named "crash report mozilla firefox.txt" and the popup's printscreen

(also i sent the report to Mozilla from the popup windows) 

Thank you...
Flags: needinfo?(scncld66)

    
    

    
  


  

    
    

    
  
Is there a corresponding link in about:crashes? That will link to https://crash-stats.mozilla.com , which presents the report in a way that's much easier to decipher.
Flags: needinfo?(scncld66)

    
    

    
  
what do you mean for "about:crashes"?
i've got only "details..."  button ("dettagli..." in italian language... see picture) on the crash popup ... see next posted picture ...
content of "details..." popup is identically the content of the next posted txt file ... i can't find no link on it...
i've no other web page when i go to restart mozilla (i've already  sayd this)... "Firefox recover perfectly the session and the opened tabs".
Thanks.
Flags: needinfo?(scncld66)

    
    

    
  


  

    
    

    
  


  
i can't find no link in it...

i've no other web page when i go to restart mozilla (i've already  sayd this)... "Firefox recover perfectly the session and the opened tabs".

    
    

    
  
UPDATE:
the next posted txt file is the content of popup in the "Firefox natural crash..."
excuse me for my bad english ... the popup appears about 3 minutes after i've closed the frozen Firefox window...
so it's not necessary to operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe
i hope it's usefull ...
Thank...

    
    

    
  


  

    
    

    
  
Sorry - I wasn't being clear. If you open Firefox again and type "about:crashes" (without the quotes) into the urlbar, you should get a page that lists the crash reports Firefox has collected. I imagine the most recent few are from when you've used crashfirefox. If you copy/paste those links, I might be able to get a better idea of what's going on when Firefox locks up.

    
    

    
  
oh...!!! it's all right !!!

thank you .... i've just done it ...

some Firefox crashes was caused by ebay navigations...
i've eliminated all the logs then i've done again a Firefox crash (with the card use)...

here the link ...
https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108

seem that Firefox contact the wrong module (asepkcs.dll instead of bit4xpki.dll), also if the browser show the the right one certificate ...

i wait for news ... thank you.

    
    

    
  
i'm stunned ...

seem that Firefox contact asepkcs.dll also if i do preliminary login to the card, than i've access to the portal ...

later i operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe

here the log....

https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108


LOGS BRIEF:

log for no access and natural crash: https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108


log for preliminary login to the card, then login to the portal, logout and crash forced using the tool "crashfirefox.exe": https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108

thank you.

    
    

    
  
(In reply to Claudio from comment #27)
> seem that Firefox contact asepkcs.dll also if i do preliminary login to the
> card, than i've access to the portal ...

If I understand what you're saying, I think the reason this is happening is Firefox is trying to construct the client certificate chain that it sends to the server. Because it doesn't necessarily know which module the issuing certificate for the client certificate is on, it tries them all.

We've made some recent changes to how we handle PKCS#11 modules, but it hasn't made it to release yet - would you mind trying to reproduce the hang with Nightly? ( https://www.mozilla.org/en-US/firefox/channel/desktop/#nightly )

    
    

    
  
Is Nightly a new special version of Firefox browser?

    
    

    
  
Yes, Nightly is where new development happens on Firefox. Every 6 weeks or so changes from Nightly go to Beta and the previous Beta gets released as a new version of Firefox.

    
    

    
  
I've downloaded and installed Nightly ...

problems are the same ... (identically)

you can find the Nightly browser report here : https://crash-stats.mozilla.com/report/index/bp-d9d1798f-1c0f-49eb-9ebd-f80270171109

there is a special test page on the certifications authority website that make a report of certificate and test the communication ... internet explorer work fine there
I'm going to post the printscreen of this test page with internet explorer browser ...

i've tryed to make the test with Nightly browser ... it crash again and you can find the crash report here: https://crash-stats.mozilla.com/report/index/bp-61034391-a6e1-48c5-89af-49c390171109

i think there is wrong data that are sent by Firefox and Nightly browsers to certification authority...
(again ... with preliminary login to the card, i've login to the portal !!! .... so on the preliminary login phase, Firefox send right data to the certification authority) 

i think you have to search for difference between these two procedure (on web browsing login and preliminary login to the card)

thanks.

    
    

    
  
Franziskus, any idea how we might be deadlocking at security/nss/lib/pki/tdcache.c:897? See the socket thread in each of the crash reports from comment 31.
Flags: needinfo?(franziskuskiefer)

    
    

    
  
The only way I can see how this could deadlock is when there's another thread racing for the lock. The way the problem is described it sounds like one of the two PK11 modules somehow lock the cache in a weird way so that one doesn't release properly. If we had a PK11 test framework, we might be able to reproduce and test this. Without, I'm not sure how proceed as I don't see an obvious code path that could trigger this.
Flags: needinfo?(franziskuskiefer)

    
    

    
  
Many thanks to all...
waiting for news ... Meanwhile I will be forced to use internet explorer :(

    
    

    
  
Well, you could raise this issue to the manufacturers of the smartcards you're using. Unfortunately I don't think there's much we'll be able to do on our end, short of bug 1396030.

    
    

    
  
but this is absurd ... paper and certificates work well !!! also the portals work fine ....
Mozilla handles login badly ...

Pre login to the card = correct data are sent
browsing login = wrong data is sent ...

sorry but i'm disappointed ...

    
    

    
  
* but this is absurd ... smart card and certificates work well !!!

    
    

    
  
I realize this is frustrating, and I'm sorry we don't have a solution for you. In the meantime, either the manufacturers of those cards will release a fix or bug 1396030 will address this.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE

    
    

    
  
This bug is duplicate of #1101547
Loading multiple PKCS#11 modules leads to deadlock
After 3 years this problem, well documented with stack traces and always reproducible, still here and no one is able to fix it.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: