Open Bug 1255049 Opened 9 years ago Updated 3 years ago

server requests client certificate, firefox reports unhelpful SSL_ERROR_BAD_CERT_ALERT

Categories

(Firefox :: Security, defect, P3)

Product:
Firefox
Component:
Security
Platform:
Unspecified
Windows 7
Type:
defect

Tracking

()

People

(Reporter: arvo.sulakatko, Unassigned)

Details

(Whiteboard: [fxprivacy])

Attachments

(1 file)

SSL Server Test_ minuenergia.pdf
206.19 KB, application/pdf
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.11 Safari/537.36 Steps to reproduce: Open https://minuenergia.ee:444/ Observe error SSL_ERROR_BAD_CERT_ALERT, without helpful, developer friendly steps to fix the issue. Actual results: Firefox reports: Secure Connection Failed An error occurred during a connection to minuenergia.ee:444. SSL peer cannot verify your certificate. Error code: SSL_ERROR_BAD_CERT_ALERT While, Internet Explorer and Chrome continue to select a client certificate and to establish the connection as expected. Expected results: Browser to continue to select a client certificate and to establish the connection as expected. Or the actual reason for the error so it can be fixed.
as per https://groups.google.com/forum/#!msg/mozilla.dev.tech.crypto/EbWse7Ryj8I/mgNRW4yGAwU setting "security.tls.insecure_fallback_hosts" to minuenergia.ee would not make the error message any more useful
OS: Unspecified → Windows 7
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport lists CN = COMODO RSA Certification Authority as SHA-1 fingerprint AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 while the CA seems to be using CN = COMODO RSA Certification Authority as SHA-1 fingerprint ‎f5 ad 0b cc 1a d5 6c d1 50 72 5b 1c 86 6c 30 ad 92 ef 21 b0
https://www.ssllabs.com/ssltest/analyze.html?d=minuenergia.ee&hideResults=on&latest claims server is sending COMODO RSA Certification Authority Fingerprint SHA1: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0 and its issuer AddTrust External CA Root Fingerprint SHA1: 02faf3e291435468607857694df5e45b68851868
Component: Untriaged → Security: PSM
Product: Firefox → Core
This is a UI issue. The server is saying the client (Firefox) hasn't provided an appropriate client certificate. Firefox needs to communicate this clearly to the user. Panos, thoughts on improving this?
Flags: needinfo?(past)
would it not be a good idea to explicitly prompt the user for a certificate file if all else fails?
I think that would be even more of a privacy concern than client certificates already are. That is, since client certificate often identify people by name/email address/etc., we don't want to pop up a dialog saying, "hey, go find a client certificate in your file system to identify yourself to this random server".
If we only want to improve the messaging, we could add SSL_ERROR_BAD_CERT_ALERT to the list of messages Bram has been working on ( which is one issue away from being ready to implement). Apart from that, do we want to do anything else in these cases? If automatic prompting for a client certificate is undesired, how about a button/link to launch this dialog from the error page?
Flags: needinfo?(past) → needinfo?(bram)
I fail to reproduce the problem on both IE11 and Chrome. In both cases, I was prompted to start Windows/Apple Network Diagnostics, but never allowed to select a client certificate. Asking users to find a client certificate is helpful for those who 1) understand what a client certificate is, and 2) know where it’s stored on the hard drive as well as how to browse for it. This is not the majority of users. I submit that we should display a message saying something like this: “[domain_url] did not accept your certificate. This is the website’s fault, and you should contact them about it. [Try Again] [Advanced]” Upon clicking the [Advanced] button: “If you know what you’re doing and where your client certificate is located, you may be able to fix your problem, but this will open you up to privacy attack. [Browse for client certificate…]” How does this sound?
Flags: needinfo?(bram)
That sounds great. This also sounds like more of a front-end bug.
Component: Security: PSM → Security
Product: Core → Firefox
Version: 45 Branch → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [fxprivacy][triage]
Whiteboard: [fxprivacy][triage] → [fxprivacy] [triage]
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: