Note: There are a few cases of duplicates in user autocompletion which are being worked on.

"Remember this decision" option in "User Identification Request" (client-side cert authentication) dialog does not work

NEW
Unassigned

Status

()

Core
Security: PSM
P3
normal
3 years ago
a year ago

People

(Reporter: David Balažic, Unassigned)

Tracking

(Blocks: 1 bug)

32 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-clientauth])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

Visit a HTTPS site that requires a client certificate.
Select the certificate from the list in the "User Identification Request", uncheck the "Remember this decision" option.
Visit another URL with the same hostname.


Actual results:

Page loads with no prompt.


Expected results:

The second URL should ask for the certificate to be selected again, as "Remember this decision" was not selected.


Basically, regardless of the checkbox state of the "Remember this decision" option, the choice is always remembered.

This used to work in older versions.
(Reporter)

Updated

3 years ago
Component: Untriaged → Security

Updated

3 years ago
Component: Security → Security: UI
Product: Firefox → Core
Summary: "Remember this decision" option in "User Identification Request" dialog does not work → "Remember this decision" option in "User Identification Request" (client-side cert authentication) dialog does not work

Updated

3 years ago
Keywords: regression, regressionwindow-wanted

Comment 1

3 years ago
I want Firefox to remember to use my hardware token certificate, but it's not remembering, and instead giving me the same dialog box every time I restart the browser and go to the protected page.

Comment 2

3 years ago
Created attachment 8558569 [details]
userIdentificationRequest.png

Screenshot of the bane of my existence.

Comment 3

3 years ago
(In reply to Penelope Fudd from comment #2)
> Created attachment 8558569 [details]
> userIdentificationRequest.png
> 
> Screenshot of the bane of my existence.

Can either you or David run mozregression ( http://mozilla.github.io/mozregression/ ) to figure out when this broke?

(I normally help do this kind of thing myself, but I don't have a setup involving client-side certs, so it's difficult to do this myself without spending several days trying to get this kind of thing set up)

Also CC'ing :keeler and :bsmith in case they have ideas about why/when this broke...
Flags: needinfo?(david.balazic)
Flags: needinfo?(bugzilla.mozilla.org)

Comment 4

3 years ago
Do you know how to get mozregression to preload a personal certificate and run firefox twice?
Flags: needinfo?(bugzilla.mozilla.org)

Comment 5

3 years ago
(In reply to Penelope Fudd from comment #4)
> Do you know how to get mozregression to preload a personal certificate and
> run firefox twice?

You can specify a Firefox profile directory/path to use with the --profile option.

I'd recommend creating a new profile for testing (so that your testing doesn't mess with your main Firefox profile) using steps from https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles . You can find out its path by going to "about:support" (Help > Troubleshooting Information) and clicking the button next to "Profile Folder".

Thanks for helping!
Flags: needinfo?(bugzilla.mozilla.org)
(Reporter)

Comment 6

3 years ago
It never did that (AFAIK) and is not designed to work that way.
This is unrelated to this bug.
(Reporter)

Comment 7

3 years ago
(In reply to Penelope Fudd from comment #1)
> I want Firefox to remember to use my hardware token certificate, but it's
> not remembering, and instead giving me the same dialog box every time I
> restart the browser and go to the protected page.

The above coment #6 was meant as a replay to comment #1 , somehow it was misquoted... sorry for spam
Flags: needinfo?(david.balazic)

Comment 8

3 years ago
You mean firefox has never remembered the decision to use the hardware token, even though it's got a checkbox for it?

This problem also happens when I use a certificate.  If it wasn't designed to do that either, then I'm at a loss for what it was designed to do.  It's as if the checkbox did nothing.
Flags: needinfo?(bugzilla.mozilla.org)
(Reporter)

Comment 9

3 years ago
It remembers the choice for the duration of the session. If you exit and restart Firefox, it will ask again.
It remembers until you close Firefox.
That is how it works (or worked) for "software" certificates, I don't use hardware tokens, so can't say how it worked with them.
David, did you ever have any luck reproducing this with mozregression? Is this bug still affecting you with newer versions?
Flags: needinfo?(david.balazic)
(Reporter)

Comment 11

2 years ago
It is still the same with 41.0.1 (tried with a fresh profile).
Did not do the mozregression thing yet.
Flags: needinfo?(david.balazic)
Thanks for the reply. Given the difficulty in reproducing the issue, getting a good regression range is probably the best chance we have of tracking down the problem here. I appreciate your willingness to do help :)
Hi David, we're still interested in a regression range here if you're able to hunt it down. Let me know if you need any assistance with getting mozregression working and I'd be happy to help.
Flags: needinfo?(david.balazic)

Comment 14

2 years ago
WFM on Fx41.0 with https://www.bennish.net/certs/, it re-prompt to certificate when Ctrl+F5 to reload the page (https://www.bennish.net/certs/login/), although it is not a second URL. However, it seems forced remember the cancellation, I got the "Access Denied!" if once cancel it, Ctrl+F5 does not purge the cache.
Blocks: 159274
(Reporter)

Comment 15

2 years ago
It seems the selection is remembered for the length of the SSL session?
No matter what URL I open on the same site, it does not ask again for the certificate.

ctrl-F5 on the other hand asks for it.

Client certificate handling is chaotic anyway, what happened to the project aiming to improve it? (that is bug 511384 )
Flags: needinfo?(david.balazic)
(Reporter)

Comment 16

2 years ago
(In reply to :Gijs Kruitbosch from comment #3)
> (I normally help do this kind of thing myself, but I don't have a setup
> involving client-side certs, so it's difficult to do this myself without
> spending several days trying to get this kind of thing set up)

The mentioned URL can be used for testing. You can also get a certificate there: https://www.bennish.net/certs/

Comment 17

2 years ago
Can you try using mozregression ( http://mozilla.github.io/mozregression/ ) to narrow down how this broke? At the moment I do not have time to do this for you.
Flags: needinfo?(david.balazic)
Hi David,

I've created a certificate using the link you provided in comment 16, but I'm not sure what I have to do next. Can you please provide more details on how to reproduce this issue? Or can you provide another link where I could create a certificate and try to reproduce this issue? I'm willing to perform a regression window, but I'm not sure how to reproduce this issue.

Thanks,
Paul.
(Reporter)

Comment 19

a year ago
After you install the certificate, open this page: https://www.bennish.net/certs/login/
The client certificate selection dialog should appear.

But with Firefox 44.0.2 the situation has changed. Now it is the opposite: The certificate selection is not remembered at all. That is: for each part of the page (like css, images, external JS) it will show the certificate selection dialog. (provided each time the user deselects the "Remember this decision" option)

Ideally, the user would select a client certificate on first access and then that would be used ("remembered") until the user changes his mind ("logs out") - there is an old bug report for that...
Hi David,

I've partially managed to reproduce this on the latest release(44.0.2) and latest Nightly(47.0a1). After creating a certificate using the link from comment 16, I opened the page provided in comment 19, uncheck "Remember this decision" and click "OK". I was logged in, in a new tab, and after I've closed it, I was able to re-log in again without needing to select a certificate. This happens only if you click on the link from comment 19 very quickly from when you close the previous logged in tab. But if you wait about 10-15 seconds before clicking again on the log in link from comment 19, Firefox will ask you to provide a certificate, and again you have the option to check or uncheck the "Remember this decision" check box.

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160303030253

I went back as far as Firefox 5 and it has the same behavior as the latest builds. David, can you please provide a Firefox version where this worked correctly?  I believe Firefox had this behavior from the beginning, therefor this issue does not need a regression window.

Also, Firefox reproduces this issue but only if you manage to re-log in very quickly. If you wait a few seconds before re-logging, this issue is not reproducible anymore. Can you please confirm if you encounter the same behavior? Or if not, can you please provide how Firefox behaves? It may be a case like, in the previous versions, you waited a few seconds before re-logging back in, and now you do it very quickly, therefor noticing this bug.

Thanks,
Paul.
(Reporter)

Comment 21

a year ago
That is strange.
I also went to https://www.bennish.net/certs/ and like you said, repeatedly clicking the login link will not ask for the certificate again, even if the "remember" option was off.

This is weird, because if I load a SSL page that has embedded images and CSS (from the same server), it will ask me to select a certificate for each of them, even if all happens in the same second.
Unfortunately the https://www.bennish.net/certs/login/ page has no such items, so you can't test that there.
Flags: needinfo?(david.balazic)
Hi David,

Could you provide such a link so I can test this on my end as well? Also, did you encounter the same behavior as me when re-log in (https://www.bennish.net/certs/login/) after you wait a few seconds? Could you point to a build that worked correctly? If not, I believe is safe to remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.
Flags: needinfo?(david.balazic)
(Reporter)

Comment 23

a year ago
(In reply to Paul Pasca[:PoollyMcklayn] from comment #22)
> Could you provide such a link so I can test this on my end as well?

No, but in bug 1231406 there is an example of SSL server that can be set up in 5 minutes.
Just add this to the JSP file:


<img src="sss.jpg">
<img src="sss1.jpg">
<img src="sss2.jpg">
<img src="sss3.jpg">
<img src="sss4.jpg">
<img src="sss5.jpg">
<img src="sss6.jpg">
<img src="sss7.jpg">


> Also,
> did you encounter the same behavior as me when re-log in
> (https://www.bennish.net/certs/login/) after you wait a few seconds?
I tried it again and it is very strange. If I refresh the page with F5, it asks me again each time for the certificate selection, but not always. Like 9 times out of ten times it asks for it, but once it does not. Clicking the link on the other hand most of the time does not ask for certificate selection.

So it seems sometimes it asks, sometimes it doesn't.

It is the same with the test case above. There is the HTML document itself and 8 embedded images, so 9 http GET commands in total. I tried to load it and it asks for the the certificate only 6 times instead of 9 times. So something is definitely wrong.

(every time in the dialog I deselect the "Remember this decision" check box)

I'll look for a last working build later...
(Reporter)

Comment 24

a year ago
OOPS!

Sorry, I had the option security.ssl.disable_session_identifiers enabled (see bug 1231406).

Now I cleared it and the status is: as described in the original report

As for the https://www.bennish.net/certs/ site: sometimes I get the dialog after pressing F5, even if I do it quickly several times in succession.

The local setup mentioned above with embedded images: it never asked for the cert again. I pressed F5 and ctrl-F5 many times.

A note for the testcase with tomcat: use this line in server.xml as the specified one uses OpenSSL which has a bug:

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="want" keystoreFile="keystore.jks" keystorePass="changeit" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="CAs.ssl" truststorePass="changeit"/>

(you'll have to convert the certificate files to the Java JKS format...)
Hi David,

I'm unable to set up a SSL server at the moment, but I will mark this issue as New, since is still reproducible on the latest Firefox versions. As previously mentioned in comment 20, I was not able to find a Firefox version on which this worked correctly. When you have time, can you please provide a good version so I can perform a regression on this issue? If not, at least we can remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(david.balazic)
Component: Security: UI → Security: PSM
Whiteboard: [psm-backlog]
Keywords: regression, regressionwindow-wanted
Priority: -- → P3
Whiteboard: [psm-backlog] → [psm-clientauth]
You need to log in before you can comment on or make changes to this bug.