SSL Client Authentication dialog (certificate selection) - not all eligible client certificates are displayed when the certificates have identical nicknames and different subjects




4 years ago
2 years ago


(Reporter: Ondrej Vaclavek, Unassigned)


29 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)



(1 attachment)



4 years ago
Created attachment 8438238 [details]

Practical example / Steps to reproduce:
1) Import 2 or more SSL Client Auth certificates to a security device (tested with HW crypto token). The certificates have to have the same subject's CN and O, their OUs are different (see attached cert_details.png). Also, the certificates should be imported directly from a website.
2) Attempt to do SSL Client auth with these certificates.
What happens:
Only one of the certificates is presented to the user in the cert selection dialog.
What is expected:
All the imported certificates compatible with the server should be visible in the selection dialog.
Discovered in version 22.0, still present in 29.0.1. It is similar in nature to #278689, but for SSL. The cause is probably similar as well.
What, I think, is happening:
Because of the way how nicknames are assigned during the import process, all the imported certificates with the same CN and O fields have the same nickname. During the process of fetching the certs from the browser's cert database, for each nickname, the "best" certificate is selected. The subjects of all the certs with the same nick are compared to the "best" certificate. Certs with non-matching subject are removed from the selection process and do not make it to the dialog where the user selects a cert to authenticate the SSL connection.
If I make the nicknames of the certs different (through a P11 tool, changing the CKA_LABEL attribute of the certificate objects), all of the certificates are available in the login dialog - for each nickname, there is only one cert, which becomes the "best" one and always passes the subject match test.
When the certificates have equal subjects, they all pass the subject test and are available in the login dialo
You need to log in before you can comment on or make changes to this bug.