Closed
Bug 1231406
Opened 9 years ago
Closed 9 years ago
two way SSL loses client certificate after a few requests
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: david.balazic, Unassigned)
Details
(Whiteboard: not a Firefox bug - see workaround in comment 2)
When using two way SSL (client certificate), the server does not "see" the client certificate after a while. That is:
- the certificate is OK on first request
- it is OK for a few subsequent requests
- with FF v40, 30 seconds after the first request all following request are missing the client certificate
- with FF v42, the problem occurs only if there are no requests made for at least 60 seconds (a request made after this inactivity will be missing the client certificate) ; additionally: if waiting about 5 minutes and then making another request, it will work again correctly
It seems to be some kind of timeout issue?
Other browsers:
- IE: no problem
- Chrome: same as FF
Problem first reported to tomcat, their answer: I'd like to confirm whether the browser or Tomcat is causing this problem... my suspicion is that it's the browser.
I couldn't get WireShark to decode the SSL capture.
Also see the tomcat report for more info, like a repeatable test case in comment #1:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
|
||
Updated•9 years ago
|
Component: General → Networking
Product: Firefox → Core
|
||
Updated•9 years ago
|
Component: Networking → Security: PSM
|
||
Comment 1•9 years ago
|
||
(In reply to David Balažic from comment #0)
> I couldn't get WireShark to decode the SSL capture.
You can run Firefox with the environment variable SSLKEYLOGFILE set to some destination (e.g. /tmp/keylogfile). Then, in Wireshark go to Edit -> Preferences -> Protocols -> SSL and set "(Pre)-Master-Secret log filename" to the same file.
Flags: needinfo?(david.balazic)
|
Reporter | |
Comment 2•9 years ago
|
||
As written in the linked tomcat bug (comment 14), the root cause is a bug in OpenSSL where it does not correctly store the client certificate chain when using session ticket.
So this bug can be closed, except maybe mentioning a workaround when using Firefox:
disable use of session tickets by setting the (hidden, must add it manually) setting security.ssl.disable_session_identifiers to true
(this allegedly slows down all SSL/TLS traffic; is there a way to set it only for a certain web site?)
|
|
||
Comment 3•9 years ago
|
||
Ok - thanks for the information. (Making INVALID as in "not a Firefox bug".)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(david.balazic)
Resolution: --- → INVALID
Whiteboard: not a Firefox bug - see workaround in comment 2
|
|
||
Comment 4•9 years ago
|
||
(In reply to David Balažic from comment #2)
> disable use of session tickets by setting the (hidden, must add it manually)
> setting security.ssl.disable_session_identifiers to true
> (this allegedly slows down all SSL/TLS traffic; is there a way to set it
> only for a certain web site?)
Unfortunately, this isn't supported functionality at the moment.
|
||
Updated•5 years ago
|
status-firefox71:
--- → affected
|
|
||
Updated•5 years ago
|
status-firefox71:
affected → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•