Open Bug 1220129 Opened 9 years ago Updated 1 year ago

old client certificate used after it expired despite newer one added (ssl_error_expired_cert_alert after)

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
41 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: michael-dev, Unassigned)

References

Details

(Whiteboard: [psm-clientauth])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20151015173334 Steps to reproduce: 1. Create a client certificate using html5 keygen and downloading cert from server (firefox automatically imports it when viewing it in iframe) 2. Use the cert and check "Remember this decision" (it is the only client certificate selectable) 3. Renew the client certificate (same public key, same subject, same issuer) and import that into the browser (firefox automatically imports it when viewing it in iframe) 4. Now you have two almost identical certs listened as personal cert in firefox 5. wait for the original cert to expire (the renewed is valid) Actual results: 6. When connecting to to the site, "ssl_error_expired_cert_alert" pops up Expected results: I want client certificate renewal to be seamless for the user. So either of the following would work: a) Firefox should replace the original cert with the renewed one b) When ssl_error_expired_cert_alert is hit when using a client certificate due to "remember this decision", and there are other client certificates available, let the user choose again. c) avoid using an expired client certificate due to "remember this decision"
Workound: delete expired certificate from list of personal certificates, and it works again. But users need to know about this.
Component: Untriaged → Security: UI
Product: Firefox → Core
Summary: ssl_error_expired_cert_alert after renewing client certificate → old client certificate used after it expired despite newer one added (ssl_error_expired_cert_alert after)
Did you restart the browser at all in this process? If so, did the client auth certificate dialog appear when you connected to the site again? Were both certificates available in the dialog?
Flags: needinfo?(michael-dev)
I suppose the issue could be that the client certificate expired while Firefox was running, and thus it started to fail on subsequent connections.
Component: Security: UI → Security: PSM
Priority: -- → P5
Whiteboard: [psm-clientauth]
Flags: needinfo?(michael-dev)
Priority: P5 → --
Nope that was with firefox restarting, so bad luck. Though, I'm sad that you did not bother to find out yourself given that there were instructions to reproduce. Actually, this is not easy to reproduce without restarting because the cert is not revalidated for as long as the ssl session continues.
Priority: -- → P5

Anything new on this?

That problem exists or 6 years and not everyone wants to delete his old keys/certificates.

Severity: normal → S3

This problem persists with the Authority Decisions feature. The user has to go into the Authority Decisions window and remove the authority decision concerning the expired certificate. After that Firefox will prompt for a certificate again and the user will be able to select the new certificate.

I confirm that the problem persists after restarts (and reboots).

Firefox should not use expired certificates at all and prompt the user.

In my opinion, the Authority Decisions feature should be dropped completely. Almost no user will be able to find the window and tab and know what to do there. For those users who do know how it works, it is still a nuisance.

Duplicate of this bug: 1802499
You need to log in before you can comment on or make changes to this bug.