Closed
Bug 124187
Opened 23 years ago
Closed 16 years ago
Client auth required on every page with blank password.
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: john.peacock, Unassigned)
References
Details
(Whiteboard: [kerh-coz])
When "Client Certificate Selection" is set to "Ask every time" the select dialog
comes up on every page (i.e. the authentication is NOT cached) when hitting a
site that requires a client certificate. If bug <A
href="http://bugzilla.mozilla.org/show_bug.cgi?id=91495">91495</a> were
completed, I wouldn't need to use "Ask every time" at all (I have multiple
client certs for app testing).
I can provide server log files from Deerfield's WebSite showing the multiple
sessions being created; I have also confirmed that this bug also happens with
sxnet.Thawte.com (which is likely running: Apache/1.3.9 (Unix) Debian/GNU
PyApache/4.19 mod_ssl/2.4.10 OpenSSL/0.9.4 AuthMySQL/2.20).
Tested with Mozilla 0.9.8+ and 0.9.7+
|
||
Comment 1•23 years ago
|
||
Not confirming. I don't have to re-authenticate at every page on websites
requiring client auth.
Priority: -- → P3
Target Milestone: --- → Future
|
Reporter | |
Comment 2•23 years ago
|
||
I can provide a certificate and site to test; it may be subtly related to the
firewall we use, but it *never* happens in 4.7x and it *always* happens with 6.x
(and recent Mozilla's).
|
|
||
Comment 3•23 years ago
|
||
Confirming. I have the cert from the reporter and I am constantly asked to
present a cert visiting various links in the web site. This only occurs if the
password is blank. The workaround is to setup a master password.
Severity: major → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Client Cert requires authentication on every page → Client auth required on every page with blank password.
|
||
Updated•23 years ago
|
Blocks: clientauth
|
|
||
Updated•22 years ago
|
|
||
Comment 6•21 years ago
|
||
Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody. Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
|
|
||
Updated•19 years ago
|
Whiteboard: [kerh-coz]
|
||
Updated•18 years ago
|
QA Contact: junruh → ui
|
|
Reporter | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 7•16 years ago
|
||
Any of WONTFIX, WORKSFORME or INVALID is an acceptable resolution for this
bug.
The problem is due to a misconfigured server. The server requests client
authentication but has its server session cache either disabled or set to
a WAY too short timeout time. That is why this problem is seen only on a
very few servers, and not on the majority of servers that use client auth.
The "fix" for this bug is a server configuration change, not a browser change.
|
Assignee | |
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•