Last Comment Bug 1074195 - "Remember this decision" option in "User Identification Request" (client-side cert authentication) dialog does not work
: "Remember this decision" option in "User Identification Request" (client-side...
Status: NEW
[psm-clientauth]
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: 32 Branch
: x86_64 Windows 7
: P3 normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on:
Blocks: clientauth
  Show dependency treegraph
 
Reported: 2014-09-29 07:22 PDT by David Balažic
Modified: 2016-07-28 16:09 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
userIdentificationRequest.png (69.20 KB, image/png)
2015-02-03 08:16 PST, Penelope Fudd
no flags Details

Description User image David Balažic 2014-09-29 07:22:59 PDT
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140923175406

Steps to reproduce:

Visit a HTTPS site that requires a client certificate.
Select the certificate from the list in the "User Identification Request", uncheck the "Remember this decision" option.
Visit another URL with the same hostname.


Actual results:

Page loads with no prompt.


Expected results:

The second URL should ask for the certificate to be selected again, as "Remember this decision" was not selected.


Basically, regardless of the checkbox state of the "Remember this decision" option, the choice is always remembered.

This used to work in older versions.
Comment 1 User image Penelope Fudd 2015-02-03 08:15:35 PST
I want Firefox to remember to use my hardware token certificate, but it's not remembering, and instead giving me the same dialog box every time I restart the browser and go to the protected page.
Comment 2 User image Penelope Fudd 2015-02-03 08:16:32 PST
Created attachment 8558569 [details]
userIdentificationRequest.png

Screenshot of the bane of my existence.
Comment 3 User image :Gijs 2015-02-03 09:06:37 PST
(In reply to Penelope Fudd from comment #2)
> Created attachment 8558569 [details]
> userIdentificationRequest.png
> 
> Screenshot of the bane of my existence.

Can either you or David run mozregression ( http://mozilla.github.io/mozregression/ ) to figure out when this broke?

(I normally help do this kind of thing myself, but I don't have a setup involving client-side certs, so it's difficult to do this myself without spending several days trying to get this kind of thing set up)

Also CC'ing :keeler and :bsmith in case they have ideas about why/when this broke...
Comment 4 User image Penelope Fudd 2015-02-03 21:14:19 PST
Do you know how to get mozregression to preload a personal certificate and run firefox twice?
Comment 5 User image :Gijs 2015-02-04 01:41:56 PST
(In reply to Penelope Fudd from comment #4)
> Do you know how to get mozregression to preload a personal certificate and
> run firefox twice?

You can specify a Firefox profile directory/path to use with the --profile option.

I'd recommend creating a new profile for testing (so that your testing doesn't mess with your main Firefox profile) using steps from https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles . You can find out its path by going to "about:support" (Help > Troubleshooting Information) and clicking the button next to "Profile Folder".

Thanks for helping!
Comment 6 User image David Balažic 2015-02-04 03:15:23 PST
It never did that (AFAIK) and is not designed to work that way.
This is unrelated to this bug.
Comment 7 User image David Balažic 2015-02-04 03:16:21 PST
(In reply to Penelope Fudd from comment #1)
> I want Firefox to remember to use my hardware token certificate, but it's
> not remembering, and instead giving me the same dialog box every time I
> restart the browser and go to the protected page.

The above coment #6 was meant as a replay to comment #1 , somehow it was misquoted... sorry for spam
Comment 8 User image Penelope Fudd 2015-02-04 07:10:05 PST
You mean firefox has never remembered the decision to use the hardware token, even though it's got a checkbox for it?

This problem also happens when I use a certificate.  If it wasn't designed to do that either, then I'm at a loss for what it was designed to do.  It's as if the checkbox did nothing.
Comment 9 User image David Balažic 2015-02-09 04:17:02 PST
It remembers the choice for the duration of the session. If you exit and restart Firefox, it will ask again.
It remembers until you close Firefox.
That is how it works (or worked) for "software" certificates, I don't use hardware tokens, so can't say how it worked with them.
Comment 10 User image Ryan VanderMeulen [:RyanVM] 2015-10-09 08:30:47 PDT
David, did you ever have any luck reproducing this with mozregression? Is this bug still affecting you with newer versions?
Comment 11 User image David Balažic 2015-10-12 04:36:07 PDT
It is still the same with 41.0.1 (tried with a fresh profile).
Did not do the mozregression thing yet.
Comment 12 User image Ryan VanderMeulen [:RyanVM] 2015-11-17 14:28:06 PST
Thanks for the reply. Given the difficulty in reproducing the issue, getting a good regression range is probably the best chance we have of tracking down the problem here. I appreciate your willingness to do help :)
Comment 13 User image Ryan VanderMeulen [:RyanVM] 2015-12-18 12:26:16 PST
Hi David, we're still interested in a regression range here if you're able to hunt it down. Let me know if you need any assistance with getting mozregression working and I'd be happy to help.
Comment 14 User image YF (Yang) 2016-01-14 15:37:17 PST
WFM on Fx41.0 with https://www.bennish.net/certs/, it re-prompt to certificate when Ctrl+F5 to reload the page (https://www.bennish.net/certs/login/), although it is not a second URL. However, it seems forced remember the cancellation, I got the "Access Denied!" if once cancel it, Ctrl+F5 does not purge the cache.
Comment 15 User image David Balažic 2016-01-15 04:39:28 PST
It seems the selection is remembered for the length of the SSL session?
No matter what URL I open on the same site, it does not ask again for the certificate.

ctrl-F5 on the other hand asks for it.

Client certificate handling is chaotic anyway, what happened to the project aiming to improve it? (that is bug 511384 )
Comment 16 User image David Balažic 2016-01-15 07:29:54 PST
(In reply to :Gijs Kruitbosch from comment #3)
> (I normally help do this kind of thing myself, but I don't have a setup
> involving client-side certs, so it's difficult to do this myself without
> spending several days trying to get this kind of thing set up)

The mentioned URL can be used for testing. You can also get a certificate there: https://www.bennish.net/certs/
Comment 17 User image :Gijs 2016-01-15 07:34:08 PST
Can you try using mozregression ( http://mozilla.github.io/mozregression/ ) to narrow down how this broke? At the moment I do not have time to do this for you.
Comment 18 User image Paul Pasca[Away. Please needinfo? Paul Oiegas [:pauloiegasSV]] 2016-03-01 06:39:41 PST
Hi David,

I've created a certificate using the link you provided in comment 16, but I'm not sure what I have to do next. Can you please provide more details on how to reproduce this issue? Or can you provide another link where I could create a certificate and try to reproduce this issue? I'm willing to perform a regression window, but I'm not sure how to reproduce this issue.

Thanks,
Paul.
Comment 19 User image David Balažic 2016-03-03 03:47:05 PST
After you install the certificate, open this page: https://www.bennish.net/certs/login/
The client certificate selection dialog should appear.

But with Firefox 44.0.2 the situation has changed. Now it is the opposite: The certificate selection is not remembered at all. That is: for each part of the page (like css, images, external JS) it will show the certificate selection dialog. (provided each time the user deselects the "Remember this decision" option)

Ideally, the user would select a client certificate on first access and then that would be used ("remembered") until the user changes his mind ("logs out") - there is an old bug report for that...
Comment 20 User image Paul Pasca[Away. Please needinfo? Paul Oiegas [:pauloiegasSV]] 2016-03-04 07:15:55 PST
Hi David,

I've partially managed to reproduce this on the latest release(44.0.2) and latest Nightly(47.0a1). After creating a certificate using the link from comment 16, I opened the page provided in comment 19, uncheck "Remember this decision" and click "OK". I was logged in, in a new tab, and after I've closed it, I was able to re-log in again without needing to select a certificate. This happens only if you click on the link from comment 19 very quickly from when you close the previous logged in tab. But if you wait about 10-15 seconds before clicking again on the log in link from comment 19, Firefox will ask you to provide a certificate, and again you have the option to check or uncheck the "Remember this decision" check box.

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160303030253

I went back as far as Firefox 5 and it has the same behavior as the latest builds. David, can you please provide a Firefox version where this worked correctly?  I believe Firefox had this behavior from the beginning, therefor this issue does not need a regression window.

Also, Firefox reproduces this issue but only if you manage to re-log in very quickly. If you wait a few seconds before re-logging, this issue is not reproducible anymore. Can you please confirm if you encounter the same behavior? Or if not, can you please provide how Firefox behaves? It may be a case like, in the previous versions, you waited a few seconds before re-logging back in, and now you do it very quickly, therefor noticing this bug.

Thanks,
Paul.
Comment 21 User image David Balažic 2016-03-04 07:39:23 PST
That is strange.
I also went to https://www.bennish.net/certs/ and like you said, repeatedly clicking the login link will not ask for the certificate again, even if the "remember" option was off.

This is weird, because if I load a SSL page that has embedded images and CSS (from the same server), it will ask me to select a certificate for each of them, even if all happens in the same second.
Unfortunately the https://www.bennish.net/certs/login/ page has no such items, so you can't test that there.
Comment 22 User image Paul Pasca[Away. Please needinfo? Paul Oiegas [:pauloiegasSV]] 2016-03-07 02:39:23 PST
Hi David,

Could you provide such a link so I can test this on my end as well? Also, did you encounter the same behavior as me when re-log in (https://www.bennish.net/certs/login/) after you wait a few seconds? Could you point to a build that worked correctly? If not, I believe is safe to remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.
Comment 23 User image David Balažic 2016-03-07 05:11:52 PST
(In reply to Paul Pasca[:PoollyMcklayn] from comment #22)
> Could you provide such a link so I can test this on my end as well?

No, but in bug 1231406 there is an example of SSL server that can be set up in 5 minutes.
Just add this to the JSP file:


<img src="sss.jpg">
<img src="sss1.jpg">
<img src="sss2.jpg">
<img src="sss3.jpg">
<img src="sss4.jpg">
<img src="sss5.jpg">
<img src="sss6.jpg">
<img src="sss7.jpg">


> Also,
> did you encounter the same behavior as me when re-log in
> (https://www.bennish.net/certs/login/) after you wait a few seconds?
I tried it again and it is very strange. If I refresh the page with F5, it asks me again each time for the certificate selection, but not always. Like 9 times out of ten times it asks for it, but once it does not. Clicking the link on the other hand most of the time does not ask for certificate selection.

So it seems sometimes it asks, sometimes it doesn't.

It is the same with the test case above. There is the HTML document itself and 8 embedded images, so 9 http GET commands in total. I tried to load it and it asks for the the certificate only 6 times instead of 9 times. So something is definitely wrong.

(every time in the dialog I deselect the "Remember this decision" check box)

I'll look for a last working build later...
Comment 24 User image David Balažic 2016-03-07 05:49:37 PST
OOPS!

Sorry, I had the option security.ssl.disable_session_identifiers enabled (see bug 1231406).

Now I cleared it and the status is: as described in the original report

As for the https://www.bennish.net/certs/ site: sometimes I get the dialog after pressing F5, even if I do it quickly several times in succession.

The local setup mentioned above with embedded images: it never asked for the cert again. I pressed F5 and ctrl-F5 many times.

A note for the testcase with tomcat: use this line in server.xml as the specified one uses OpenSSL which has a bug:

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="want" keystoreFile="keystore.jks" keystorePass="changeit" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="CAs.ssl" truststorePass="changeit"/>

(you'll have to convert the certificate files to the Java JKS format...)
Comment 25 User image Paul Pasca[Away. Please needinfo? Paul Oiegas [:pauloiegasSV]] 2016-03-08 06:54:16 PST
Hi David,

I'm unable to set up a SSL server at the moment, but I will mark this issue as New, since is still reproducible on the latest Firefox versions. As previously mentioned in comment 20, I was not able to find a Firefox version on which this worked correctly. When you have time, can you please provide a good version so I can perform a regression on this issue? If not, at least we can remove the "regressionwindow-wanted" keyword.

Thanks,
Paul.

Note You need to log in before you can comment on or make changes to this bug.