Open Bug 1091857 Opened 11 years ago Updated 2 years ago

Firefox does not show certificate selection dialog after installing new certificate

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
33 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: ben, Unassigned)

Details

(Whiteboard: [psm-clientauth])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141011015303 Steps to reproduce: On Firefox/33: the user visits a site without any TLS client credentials; TLS client authentication is optional on this site. In order for the user to register, they must first generate some credentials: 1. Generate a private key using the <keygen> element 2. Server-side, the resulting SPKAC is used to create a new certificate for client authentication 3. The user is presented with a simple form with a button to install the new certificate 4. The certificate is installed correctly 5. Continue using the site, expecting to use the newly generated credentials Actual results: Firefox does not ask the user if they wish to use the newly installed certificate. Subsequent requests do not use any TLS client credentials. The user must restart their browser in order to select the newly created certificate. This behavior makes sense from a technical point of view: i.e. the same TLS session is used; client authentication is optional; there is no renegotiation. Expected results: Firefox should show the certificate selection dialog so that the user can select their new certificate. Chrome implements this behavior and works as desired in the scenario mentioned above. The same behavior should probably also apply if the client *did* use a certificate initially, so that a site can e.g. reissue/update an existing certificate. (However, I have not tested if Chrome supports this as well.) Note that before Firefox 33 a work-around existed: by calling crypto.logout() the client could be triggered to (re)select a certificate. However, the behavior of crypto.logout() itself (i.e., logging out *all* TLS sessions), is definitely not a desired side-effect.
Does it work as expected if you use "History" -> "Clear Recent History..." -> "Active Logins"?
Flags: needinfo?(ben)
I just tried what keeler suggested, and that does indeed prompt me for a certificate - again (I first selected one, succesfully, then cleared active logins, and refreshed). Any suggestions on a way to do this programmatically? Or perhaps try to mimic what Chrome does?
I can imagine that clicked the 'Lock' / 'Key' icon in the URL bar (where one can get info about a TLS connection / cert) may be the right place to put TLS authentication management.
Flags: needinfo?(ben)
Priority: -- → P5
Whiteboard: [psm-clientauth]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.