Closed
Bug 1412801
Opened 7 years ago
Closed 7 years ago
i'm italian, i've strange authentication problems on public administration portals with smart card
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1396030
People
(Reporter: scncld66, Unassigned)
Details
Attachments
(14 files)
189.79 KB,
image/png
|
Details | |
377.53 KB,
image/jpeg
|
Details | |
405.83 KB,
image/jpeg
|
Details | |
341.99 KB,
image/jpeg
|
Details | |
414.09 KB,
image/jpeg
|
Details | |
394.63 KB,
image/jpeg
|
Details | |
213.04 KB,
image/jpeg
|
Details | |
393.86 KB,
image/jpeg
|
Details | |
217.94 KB,
image/jpeg
|
Details | |
115.38 KB,
text/plain
|
Details | |
83.60 KB,
image/png
|
Details | |
106.17 KB,
text/plain
|
Details | |
100.99 KB,
text/plain
|
Details | |
61.93 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20171024165158 Steps to reproduce: Excuse me for my bad english .. I'm a fireman and the department gave me a card ... card work fine with internet explorer and i can access to all portals of italian government (card have also digital sign) 1. browsing web with Mozilla and smart card login cause a problem ... 2. preliminary login allow navigation - i operate this: menu OPTIONS> PRIVACY & SECURITY> SECURITY DEVICES> and on the left column MODULES AND SECURITY DEVICES, i choose the device ARUBA_ATE> ATE> (these are my device and card) thus i have login (after this, i've login to the portals...!!!) Actual results: 1. operate as the previous point 1, it freeze all (navigation) on login to a public administration portal ... see image attached file ... it freeze all on executing TLS handshake at ... 2. operate as the previous point 2, with preliminary login to the card, Firefox allow acces to the portals ... (I can't post more of 1 image ... i've other picture of me logged in to the portals...) Expected results: have login by normal browsing normal browsing do not allow login ... login by normal browsing will cause freeze all browsing (new tab or new sites) ... browser do not crash, i have access to option and other menù ... With internet explorer i have regulary login to the portals, so card and certificates are fine !!! by deactivate Kaspersky Antivirus and delete all cookies and temporary file the problem still the same... How can i post more pictures ? Thanks.
Thank you for filing this bug. A few questions: Does your device do protected authentication? That is, does it provide its own window that you use to log in or do you just type a password/pin into a window that Firefox opens? When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up? Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging? Thanks! You should be able to add more attachments (pictures) by clicking the "Attach File" link above comment 0.
Flags: needinfo?(scncld66)
Many thanks to you and excuse me for my bad english... - Does your device do protected authentication? RE: yes, i've to digit a PIN - When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up? RE: No, i can operate menù, add new tabs ecc... however navigation freeze ... i can't acces to other website ... also in a new tab or window. - Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging? RE: no, i've no message or report ... the browser freezes for a long time so i close the browser ... Now I will keep open browser for more time than I'll let you know.... I try to attach pictures files step by step on freeze (normal login) procedure ... I hope they are useful Thank you again
Flags: needinfo?(scncld66)
step 2 - choice of login method, password, pin or smartcard ... then login
step 4 - Choice of certificate... the only one possible and the right one !!!
step 5 - TLS handshake and browser freezing !!! no navigation !!!
step 6 - add new tab ... also in the new tab navigation is freezed ... browser UI is ok !!! .. now i'm waiting for a message or a report ...
step 7 - 30 minutes later the browser still frozen ... then i close the window and the browser ... No error message and no report !!!!
Reporter | ||
Comment 10•7 years ago
|
||
these are the steps of my attempt to login ... thank you very much....
Reporter | ||
Comment 11•7 years ago
|
||
hi there ... I managed to make a video of my screen, where it shows the preliminary login and the next access to the portal !!! you can find the video here ... http://www.scandella.org/login.m4v thank you very much ....
Thanks! In that video, it seems you have two PKCS#11 modules loaded - one called "Aruba_Ate" and another called "Athena PKCS#11 Module". Are you sure you need both of those? It looks like they might be managing the same physical device ("Generic Usb Smart Card Reader 0"), which could cause problems. Maybe try removing the "Athena" module? (although first make a note of its path so you can add it back if necessary)
Flags: needinfo?(scncld66)
Reporter | ||
Comment 13•7 years ago
|
||
Athena PKCS#11 Module is another module ... it's needed for another CNS card of the National Medical Service ... now I'm going to remove it, then i do a reset of my PC then i try again to login ... Thank you...
Flags: needinfo?(scncld66)
Reporter | ||
Comment 14•7 years ago
|
||
i confirm that, removing the module my new smartcard work fine !!!! ... i've login.... i try'd to load the module and assign it a different name but the problem still again... the only one way is remove the module ... why appears module conflict ??? why the module conflict freeze Firefox navigations ? ... also the one in a new tab ??? how can i avoid module conflict ? why on internet explorer no problems appear than Firefox ? can Firefox developers optimize the code ? Thanks...
Without knowing what specifically is causing the lockup, it would be hard to fix. One thing you could try is to get Firefox to freeze again and then following the steps at https://superuser.com/questions/678054/force-firefox-to-crash-or-trick-firefox-into-thinking-it-has-crashed-on-windows#answer-678426 to make Firefox crash (note that this will crash firefox, so save all of your work first). Then, after opening up Firefox again there should hopefully be a link in about:crashes that may tell me more about what's going on. I believe Internet Explorer uses the underlying OS-level APIs, so it avoids using these libraries alltogether, so it works better.
Flags: needinfo?(scncld66)
Reporter | ||
Comment 16•7 years ago
|
||
I tried to perform the forced Mozilla Firefox crash ... Taskkill /IM firefox.exe /F does not work .... Firefox recover perfectly the session and the opened tabs ... The Mozilla tool at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe work fine ... I'm going to post the generated report file named "crash report mozilla firefox.txt" and the popup's printscreen (also i sent the report to Mozilla from the popup windows) Thank you...
Flags: needinfo?(scncld66)
Reporter | ||
Comment 17•7 years ago
|
||
Reporter | ||
Comment 18•7 years ago
|
||
Is there a corresponding link in about:crashes? That will link to https://crash-stats.mozilla.com , which presents the report in a way that's much easier to decipher.
Flags: needinfo?(scncld66)
Reporter | ||
Comment 20•7 years ago
|
||
what do you mean for "about:crashes"? i've got only "details..." button ("dettagli..." in italian language... see picture) on the crash popup ... see next posted picture ... content of "details..." popup is identically the content of the next posted txt file ... i can't find no link on it... i've no other web page when i go to restart mozilla (i've already sayd this)... "Firefox recover perfectly the session and the opened tabs". Thanks.
Flags: needinfo?(scncld66)
Reporter | ||
Comment 21•7 years ago
|
||
Reporter | ||
Comment 22•7 years ago
|
||
i can't find no link in it... i've no other web page when i go to restart mozilla (i've already sayd this)... "Firefox recover perfectly the session and the opened tabs".
Reporter | ||
Comment 23•7 years ago
|
||
UPDATE: the next posted txt file is the content of popup in the "Firefox natural crash..." excuse me for my bad english ... the popup appears about 3 minutes after i've closed the frozen Firefox window... so it's not necessary to operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe i hope it's usefull ... Thank...
Reporter | ||
Comment 24•7 years ago
|
||
Sorry - I wasn't being clear. If you open Firefox again and type "about:crashes" (without the quotes) into the urlbar, you should get a page that lists the crash reports Firefox has collected. I imagine the most recent few are from when you've used crashfirefox. If you copy/paste those links, I might be able to get a better idea of what's going on when Firefox locks up.
Reporter | ||
Comment 26•7 years ago
|
||
oh...!!! it's all right !!! thank you .... i've just done it ... some Firefox crashes was caused by ebay navigations... i've eliminated all the logs then i've done again a Firefox crash (with the card use)... here the link ... https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108 seem that Firefox contact the wrong module (asepkcs.dll instead of bit4xpki.dll), also if the browser show the the right one certificate ... i wait for news ... thank you.
Reporter | ||
Comment 27•7 years ago
|
||
i'm stunned ... seem that Firefox contact asepkcs.dll also if i do preliminary login to the card, than i've access to the portal ... later i operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe here the log.... https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108 LOGS BRIEF: log for no access and natural crash: https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108 log for preliminary login to the card, then login to the portal, logout and crash forced using the tool "crashfirefox.exe": https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108 thank you.
(In reply to Claudio from comment #27) > seem that Firefox contact asepkcs.dll also if i do preliminary login to the > card, than i've access to the portal ... If I understand what you're saying, I think the reason this is happening is Firefox is trying to construct the client certificate chain that it sends to the server. Because it doesn't necessarily know which module the issuing certificate for the client certificate is on, it tries them all. We've made some recent changes to how we handle PKCS#11 modules, but it hasn't made it to release yet - would you mind trying to reproduce the hang with Nightly? ( https://www.mozilla.org/en-US/firefox/channel/desktop/#nightly )
Reporter | ||
Comment 29•7 years ago
|
||
Is Nightly a new special version of Firefox browser?
Yes, Nightly is where new development happens on Firefox. Every 6 weeks or so changes from Nightly go to Beta and the previous Beta gets released as a new version of Firefox.
Reporter | ||
Comment 31•7 years ago
|
||
I've downloaded and installed Nightly ... problems are the same ... (identically) you can find the Nightly browser report here : https://crash-stats.mozilla.com/report/index/bp-d9d1798f-1c0f-49eb-9ebd-f80270171109 there is a special test page on the certifications authority website that make a report of certificate and test the communication ... internet explorer work fine there I'm going to post the printscreen of this test page with internet explorer browser ... i've tryed to make the test with Nightly browser ... it crash again and you can find the crash report here: https://crash-stats.mozilla.com/report/index/bp-61034391-a6e1-48c5-89af-49c390171109 i think there is wrong data that are sent by Firefox and Nightly browsers to certification authority... (again ... with preliminary login to the card, i've login to the portal !!! .... so on the preliminary login phase, Firefox send right data to the certification authority) i think you have to search for difference between these two procedure (on web browsing login and preliminary login to the card) thanks.
Reporter | ||
Comment 32•7 years ago
|
||
Franziskus, any idea how we might be deadlocking at security/nss/lib/pki/tdcache.c:897? See the socket thread in each of the crash reports from comment 31.
Flags: needinfo?(franziskuskiefer)
Comment 34•7 years ago
|
||
The only way I can see how this could deadlock is when there's another thread racing for the lock. The way the problem is described it sounds like one of the two PK11 modules somehow lock the cache in a weird way so that one doesn't release properly. If we had a PK11 test framework, we might be able to reproduce and test this. Without, I'm not sure how proceed as I don't see an obvious code path that could trigger this.
Flags: needinfo?(franziskuskiefer)
Reporter | ||
Comment 35•7 years ago
|
||
Many thanks to all... waiting for news ... Meanwhile I will be forced to use internet explorer :(
Well, you could raise this issue to the manufacturers of the smartcards you're using. Unfortunately I don't think there's much we'll be able to do on our end, short of bug 1396030.
Reporter | ||
Comment 37•7 years ago
|
||
but this is absurd ... paper and certificates work well !!! also the portals work fine .... Mozilla handles login badly ... Pre login to the card = correct data are sent browsing login = wrong data is sent ... sorry but i'm disappointed ...
Reporter | ||
Comment 38•7 years ago
|
||
* but this is absurd ... smart card and certificates work well !!!
I realize this is frustrating, and I'm sorry we don't have a solution for you. In the meantime, either the manufacturers of those cards will release a fix or bug 1396030 will address this.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 40•6 years ago
|
||
This bug is duplicate of #1101547 Loading multiple PKCS#11 modules leads to deadlock After 3 years this problem, well documented with stack traces and always reproducible, still here and no one is able to fix it.
You need to log in
before you can comment on or make changes to this bug.
Description
•