1184411 - SSL client certificate 'Remember this decision' box doesn't remember decision

Status: RESOLVED DUPLICATE of bug 634697

(Core :: Security, defect)

Description

[ce]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20150715095519

Steps to reproduce:

I'm sorry if this is a duplicate; i found several tickets related to this functionality (e.g., #511384, #523336), but none of them seem to describe my particular issue.

At my company we are starting to roll out client-certificate auth across a number of internal Web servers. The actual authentication works fine, but the certificate prompt dialogue ('This site has requested that you identify yourself with a certificate') does not seem to. Specifically, despite ticking 'Remember this decision' and pressing OK to use the certificate, i am repeatedly prompted to make the decision again.

Each time i restart Firefox (i'm not sure if other things cause it to 'forget', but restarting always does), i am forced to re-select the certificate for every single individual server i come into contact with. I say 'come into contact' because i don't have to actually visit it — Firefox prompts for authentication seemingly any time it wants to request something from the site, including when refreshing thumb-nails on the New Tab page and maybe (not sure) when hovering over or auto-completing URLs in the address bar.

Given that i have to work with a dozen such sites (and counting), and that my normal duties involve browser testing (so i restart a lot), you can imagine that it is beyond irritating to get the prompts over and over and over like that.

1. Set up Web server with client-certificate auth support
2. Generate client certificate and load into Firefox
3. Visit site, get prompt, say OK and remember
4. Restart browser
5. Prompted again


Actual results:

Firefox re-prompts for the certificate for each server after each browser restart


Expected results:

Firefox should remember my selection as long as:

(a) the certificate i chose is still installed, and

(b) the identity information in the server's own certificate matches what it was when i made the selection.


Some extra details about my circumstances:

1. This issue has persisted across several Firefox versions.

2. I only have a single client certificate installed into Firefox, which is valid for all of the servers in question.

3. All of the servers are running Apache 2.2 or 2.4 on Ubuntu 12.04 or 14.04 (respectively).

4. All of the servers have their own self-signed root certificates and their SSL certificates are signed by their respective CAs. All of those CAs are trusted by the browser.

5. Due to some hacky silliness, all of the servers' SSL certificates have the same common name (but different subject DNs, and obviously different finger-prints). I thought that maybe Firefox might be 'remembering' the settings based on the common name alone, but if that were the case it seems like the prompts should occur each time i switch between servers, not just when i restart the browser.

Comment 1

[Strauss]

Same behaviour on Windows (7; x64) and Linux (Mint 17.2; x64).

While I have seen some tickets relating to client certificate enhancements in the pipeline (bug 511384), this is something I'd like to see addressed sooner, in the way that this bug requests.

Additionally, a "forget client certificate" option could/should be presented, in the event that application authorization is determined by the certificate (or just ignore selected certificates in private windows). This allows change of role (e.g. user vs. superuser) without a browser restart.

Comment 2

[Strauss]

[testday-20150904]

Comment 3

[:Cykesiopka]

Thanks for the report. Looks like this is already filed as Bug 634697.