Remember user's client certificate selection across sessions
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: t.petrzilka, Assigned: mbirghan)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(2 files, 3 obsolete files)
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11 Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11 When page requires user certificate for https connection, the dialog for selecting right certificate comes every time after browser restart, although, option at the bottom of dialog to remember my choice was previously selected. (certificate is already successfully imported in browser) Reproducible: Always Steps to Reproduce: 0.Goto site configured for https connection requiring user certificate, select right certificate and mark checkbox to remember this choice in the dialog, continue. 1.Restart Firefox 2.Goto site configured for https connection requiring user certificate Actual Results: The dialog for selecting certificate shows up again. Expected Results: Firefox should connect to the site without any inquiries about selecting certificate.
Comment 2•13 years ago
|
||
Adg asked to have this bug assigned to them.
Comment 3•13 years ago
|
||
I was not able to reproduce the bug on Firefox/4.0b11 as told. If you check the button corresponding to the "permanently store this exception" firefox successfully remembers->options->advanced->encryption->view certificates->servers.
Updated•13 years ago
|
Tomas, can you try to reproduce this with the latest nightly Firefox 4.0b12pre? Thanks.
I can confirm, that FF 4.0b12 (not nightly) is still behaving as described before. Also when the dialog for choosing the certificate is canceled it won't come back after attempt for another connection to the server. ---- Firefox 4.0b12 Mozilla/5.0 (Windows NT 6.1; rv:2.0b12) Gecko/20100101 Firefox/4.0b12
(In reply to comment #3) > I was not able to reproduce the bug on Firefox/4.0b11 as told. If you check the > button corresponding to the "permanently store this exception" firefox > successfully remembers->options->advanced->encryption->view > certificates->servers. The certificate is client-side so the exception dialog in: options->advanced->encryption->view certificates->servers is not useful cause there is no server URL to remember the exception for. The dialog I described is IMHO shown at very rare circumstances as for professional use mostly.. But still used.. It's just a glitch with lower importance..
Adding Paul to the cc list of this bug. Paul, is there some interaction with Session Store that could be causing this bug? Tomas, would it be possible for you to either link or attach a test case we can use to try to reproduce this bug?
Comment 8•13 years ago
|
||
(In reply to comment #7) > Adding Paul to the cc list of this bug. Paul, is there some interaction with > Session Store that could be causing this bug? Session Restore doesn't do anything with certs, so highly unlikely.
Comment 9•13 years ago
|
||
I also have this problem with an Aladdin E-Token.
Comment 10•13 years ago
|
||
I had the same 'issue' as described above, but I recognized the flag "Options->Advanced->Encryption->Certificates - When a site asks for a certificate:" (or similar, using German version). I switched from "Ask everytime" to "Select one automatically". However, I'm not sure what this means exactlly does - in my opinion this misses a third option like "Ask only if new" or something. Maybe "Ask everytime" just ignores already stored site-cert associations? --- Firefox 7.0.1 (German) Win 7 x64
Comment 11•9 years ago
|
||
I have been annoyed by this problem for years, mentioned in in talks, discussed it with Anne van K in the TAG, and general taken it as indicating a lack of interest at Mozilla in client-side certs. (Chrome does not have this problem, and so is easier to use if you use client certs a lot.) At least from the discussion here it seems to be recognized as bug -- but has a status of "UNCONFIRMED" surprises me. So maybe it difficult to reproduce. If it is supposed to work, where is the site->cert mapping stored?
For what it's worth, I can reproduce the bug. You're right that client-side certificate-related features aren't a high priority right now, since the majority of our users don't use them. It's unfortunate, but limited engineering resources mean we can't address everything we might want to.
Comment 13•9 years ago
|
||
Sufficient support of client certificates is one of the reasons, I use FireFox. (In reply to Tim Berners-Lee from comment #11) > So maybe it difficult to reproduce. To my experience reproduction of this issue requires not very typical configuration: it need user, having several the same time valid client certificates in a certification chain. That, as I know, is not typical. In the rest cases auto-fit client certificate works rather well. (In reply to David Keeler [:keeler] (use needinfo?) from comment #12) > For what it's worth, I can reproduce the bug. You're right that client-side > certificate-related features aren't a high priority right now, since the > majority of our users don't use them. It's unfortunate, but limited > engineering resources mean we can't address everything we might want to. Orienting on popularity NOW you can miss future. Support of client certificates is not widely spread (yet?), but very _important_ (!) feature. This feature (client certificates) is lessly used, than it should, because of insufficient support in clients. And is lessly supported because of rare use. P.S. Not long ago I've generate a certificate set for localhost to reproduce this issue. If Mozilla developers need, I can attach these certs to this bug and, if necessary, consult in configuration of Apache web server (although it seems to be trivial).
This bug could have a more straightforward summary.
Comment 17•8 years ago
|
||
Ref. my reply to related Thunderbird bug 803975 comment #6 In the present context, does the behaviour happen even if the preference "Ask me every time" is not selected? In any case there is still Tim Berners-Lee's question in comment #11: > If it is supposed to work, where is the site->cert mapping stored?
Comment hidden (advocacy) |
Comment hidden (advocacy) |
Comment hidden (off-topic) |
Assignee | ||
Comment 24•5 years ago
|
||
Comment 25•5 years ago
|
||
(In reply to Tomáš from comment #6)
(In reply to comment #3)
The dialog I described is IMHO shown at very rare circumstances as for
professional use mostly.. But still used..
No, it happens to everyone who uses certificates* to do their taxes online, access their bank account etc.
- even with a single installed certificate, the dialog is shown each time
Assignee | ||
Comment 26•5 years ago
|
||
Updated•5 years ago
|
Comment 27•4 years ago
|
||
Found this bugzilla-entry by googleing for a solution for my problem - I have two client-certificates - one already expired and one is valid.
By default the already expired certificate is selected (due to the lower serial-number?) which is annoying because no error-message is displayed if I try to connect to the server with this expired client-cert - just an empty page. Checked with the webdeveloper-tools - there is a message that is at least a hint for the error that just occured ("SSL_ERROR_EXPIRED_CERT_ALERT").
And yes - I checked the "remeber this decision" for the valid client-cert with the higher serial-number. But after a browser-restart the expired certificate is the default-selection again.
Yes - the workaround would be to remove the expired client-cert from Firefox' certificate-store. But a workaround does not eliminate a bug ;-)
If I can help with some testing from user's side (as I am "only" a webdeveloper and webserver-admin, not a Firefox-programmer) I will be happy to do so.
Updated•4 years ago
|
Assignee | ||
Comment 28•4 years ago
|
||
Depends on D54336
Assignee | ||
Comment 29•4 years ago
|
||
Depends on D54336
Comment 30•4 years ago
|
||
Pushed by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a538b0497336 Refactoring nsClientAuthRememberService to work as a service r=keeler
Comment 31•4 years ago
|
||
Backed out changeset a538b0497336 (Bug 634697) for causing android build bustages in /builds/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp CLOSED TREE
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=290853789&repo=autoland&lineNumber=33084
Comment 32•4 years ago
|
||
Backout by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4143bf08dfe6 Backed out changeset a538b0497336 for causing android build bustages in /builds/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp CLOSED TREE
Moritz - when you fix the build issues, let's land this in a new bug so that the original purpose of this bug doesn't get lost.
Comment 34•4 years ago
|
||
Comment on attachment 9126100 [details]
Bug 634697 - Refactoring nsClientAuthRememberService to work as a service
Revision D62585 was moved to bug 1618710. Setting attachment 9126100 [details] to obsolete.
Comment 35•4 years ago
|
||
Comment on attachment 9110916 [details]
Bug 634697 - Remember user's client certificate selection across sessions
Revision D54336 was moved to bug 1620976. Setting attachment 9110916 [details] to obsolete.
Assignee | ||
Updated•4 years ago
|
Comment 36•4 years ago
|
||
Dana, it looks like this new data storage could effectively be used as a source for (abridged) browser history and should come under our regular data clearing mechanisms, so that "clear recent history...", "forget about this site", the forget button and other mechanisms we have clear the data when the user chooses to do that. Can that happen here, or if not, would you mind filing a follow-up bug to hook this all into nsIClearDataService, if that's not already part of the patches here? That way we don't end up creating a privacy liability when fixing this bug. Thank you!
Yes, that can happen here. Thanks for the reminder!
Comment 40•4 years ago
|
||
Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/928233ea49ee Add permanent storage to user's client certificate selection r=keeler,baku,fluent-reviewers,Gijs
Comment 41•4 years ago
•
|
||
Backed out changeset 928233ea49ee (bug 634697) for causing leaks. CLOSED TREE
Logs:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309847107&repo=autoland&lineNumber=1730
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309847733&repo=autoland&lineNumber=1119
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&revision=928233ea49eeca3dddc25d4cdc59995b17f78092
Backout:
https://hg.mozilla.org/integration/autoland/rev/840f993400695f8c67d44b35f5f7f4b2c4bcf5fd
Edit:
Also afected a few other tests, including Mochitest and XPCshell:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309847069&repo=autoland&lineNumber=1738
https://treeherder.mozilla.org/logviewer.html#?job_id=309847739&repo=autoland
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 42•4 years ago
|
||
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/441baa36ba93 Add permanent storage to user's client certificate selection r=keeler,baku,fluent-reviewers,Gijs
Comment 43•4 years ago
|
||
Backed out for failure at test_sss_readstate.js.
Backout link: https://hg.mozilla.org/integration/autoland/rev/f6e962ff9eb45359b95ec15f6471436fe74fef47
Failure log for xpcshell: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=311406771&repo=autoland&lineNumber=2903
Failure log for mochitest: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=311406741&repo=autoland&lineNumber=8155
Comment 44•4 years ago
|
||
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7142dd253e6d Add permanent storage to user's client certificate selection r=keeler,baku,fluent-reviewers,Gijs
Comment 45•4 years ago
|
||
bugherder |
Assignee | ||
Updated•4 years ago
|
Comment 46•4 years ago
|
||
I tested the 81 nightly.
Observations:
-
("Remember this decision" is selected) clicking Cancel does not really Cancel, but remembers "user wants to use the web site without a client certificate"
On next use, FF will not ask for certificate choice, but proceed with no certificate. This is IMO wrong. Cancel should mean "don't do anything". -
("Remember this decision" is NOT selected) clicking Cancel , just brings up the same dialog again. And again. I guess it is displayed for every HTTP request (for every embedded image, JS, CSS and so on ). This is also bad.
Also, in the second case, after I clicked Cancel 5 times, I selected OK. The page was then displayed, but with many elements missing (CSS, images). After I refreshed it, the main HTML did not see the selected certificate (in the first try it did). This is against my expectations. I would expect the first load (when I selected Cancel) to NOT see my certificate, and the second refresh to see it (because I selected one and had the "remember" option selected too).
Assignee | ||
Comment 47•4 years ago
|
||
These observations should in my opinion be handled in a different bug. They seem to show issues with the general client cert dialog.
This patch is focused on how remembering decisions are handled and persistently stored after the user interaction with the client cert dialog.
Comment 48•4 years ago
|
||
Indeed - this patch has landed, and we try and stick to 1 issue per bug, or bugs devolve into never-ending sagas where it's unclear which things got fixed for which releases. Please file a bug for the cancel vs. remember behaviour, and a separate one for the refresh behaviour (with more detailed steps and ideally with a testcase, as the behaviour of "the page" may well depend on JS (that was potentially cached from the "cancel" request before?) and to debug that we'd need to see an actual broken case).
Comment 50•4 years ago
|
||
cancel vs remember is already submitted: bug 537103 , but marked as a duplicate of another bug that is marked INCOMPLETE.
Should I try to revive it or just file a new one?
Updated•4 years ago
|
Comment 51•4 years ago
|
||
(In reply to David Balažic from comment #50)
cancel vs remember is already submitted: bug 537103 , but marked as a duplicate of another bug that is marked INCOMPLETE.
Should I try to revive it or just file a new one?
Just filing a new one is probably more straightforward. Thank you!
Comment 53•4 years ago
|
||
and bug 1657591 for the "dialog appears several times"
Comment 57•3 years ago
|
||
Is it really fixed? I recently updated to 91 ESR (Linux), I still have the popup appearing as it did before. I.e. I check "remember choice", hit OK, and some time after (when connection is reestablished, apparently), the dialog appears again. The same with browser restarts.
Comment 58•3 years ago
|
||
And somehow hitting Esc (which is easy to do accidentally as this freaking dialog appears randomly) when this dialog appears somehow is remembered very well, as I'm not prompted again (and certificate is not sent) until browser is restarted.
Comment 59•3 years ago
|
||
(In reply to WGH from comment #57)
Is it really fixed? I recently updated to 91 ESR (Linux), I still have the popup appearing as it did before. I.e. I check "remember choice", hit OK, and some time after (when connection is reestablished, apparently), the dialog appears again. The same with browser restarts.
Please note, that pop-up confirmation of authentication with selected certificate differs from remembering selected certificate in list of available.
Comment 60•3 years ago
|
||
If that's true, then the fix is almost useless. It does not address the main frustration: the dialog appearing over and over again.
Comment 61•2 years ago
|
||
I use Firefox v94 and it works fine: I select the certificate for a website and it is remembered "forever". It never asks again (for that website).
The list of remembered certificates choices can be seen in Settings / Certificates / View Certificates , in the tab titled "Authentication Decisions".
Comment 62•2 years ago
|
||
Okay, thanks for the input! I have such tab, but its contents are empty. Gotta debug it, and depending on the result, will either post a short comment here, or create a new bug.
Comment 63•2 years ago
|
||
I tried to solve this on my own, but I couldn't. I created a new bug 1746532
Comment 64•2 years ago
|
||
In the end, this was caused by serial numbers longer than 20 bytes. After I reissued certificate with shorter serial, choice is properly remembered. I also had to manually clean up ClientAuthRememberList.txt to make "Authentication Decisions" tab show anything (having even one long serial breaks it competely, apparently).
Description
•