Closed
Bug 1231406
Opened 9 years ago
Closed 8 years ago
two way SSL loses client certificate after a few requests
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: david.balazic, Unassigned)
Details
(Whiteboard: not a Firefox bug - see workaround in comment 2)
When using two way SSL (client certificate), the server does not "see" the client certificate after a while. That is: - the certificate is OK on first request - it is OK for a few subsequent requests - with FF v40, 30 seconds after the first request all following request are missing the client certificate - with FF v42, the problem occurs only if there are no requests made for at least 60 seconds (a request made after this inactivity will be missing the client certificate) ; additionally: if waiting about 5 minutes and then making another request, it will work again correctly It seems to be some kind of timeout issue? Other browsers: - IE: no problem - Chrome: same as FF Problem first reported to tomcat, their answer: I'd like to confirm whether the browser or Tomcat is causing this problem... my suspicion is that it's the browser. I couldn't get WireShark to decode the SSL capture. Also see the tomcat report for more info, like a repeatable test case in comment #1: https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
|
||
Updated•9 years ago
|
Component: General → Networking
Product: Firefox → Core
|
||
Updated•8 years ago
|
Component: Networking → Security: PSM
(In reply to David Balažic from comment #0) > I couldn't get WireShark to decode the SSL capture. You can run Firefox with the environment variable SSLKEYLOGFILE set to some destination (e.g. /tmp/keylogfile). Then, in Wireshark go to Edit -> Preferences -> Protocols -> SSL and set "(Pre)-Master-Secret log filename" to the same file.
Flags: needinfo?(david.balazic)
|
Reporter | |
Comment 2•8 years ago
|
||
As written in the linked tomcat bug (comment 14), the root cause is a bug in OpenSSL where it does not correctly store the client certificate chain when using session ticket. So this bug can be closed, except maybe mentioning a workaround when using Firefox: disable use of session tickets by setting the (hidden, must add it manually) setting security.ssl.disable_session_identifiers to true (this allegedly slows down all SSL/TLS traffic; is there a way to set it only for a certain web site?)
Ok - thanks for the information. (Making INVALID as in "not a Firefox bug".)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(david.balazic)
Resolution: --- → INVALID
Whiteboard: not a Firefox bug - see workaround in comment 2
(In reply to David Balažic from comment #2) > disable use of session tickets by setting the (hidden, must add it manually) > setting security.ssl.disable_session_identifiers to true > (this allegedly slows down all SSL/TLS traffic; is there a way to set it > only for a certain web site?) Unfortunately, this isn't supported functionality at the moment.
|
||
Updated•5 years ago
|
status-firefox71:
--- → affected
|
|
||
Updated•5 years ago
|
status-firefox71:
affected → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•