Open Bug 135403 Opened 22 years ago Updated 2 years ago

Add "None" button for client authentication, change cancel to cancel connection

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

People

(Reporter: julien.pierre, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-auth][psm-clientauth]) 

When a server sets the SSL_REQUEST_CERTIFICATE (but not 
SSL_REQUIRE_CERTIFICATE), it's telling the SSL client that the user can 
login with or without a client certificate.

Upon receiving this SSL alert, Mozilla will search all the tokens for 
client certificates matching the CA certs presented by the server. If 
it finds one or more, it will ask the user to select one of those 
matching certificates or automatically use one of the matching 
certificates, if "select automatically" is set).

The only options in the client cert selection dialog are to select a 
cert and click OK, or click Cancel. If Cancel is clicked, the entire 
connection is aborted.

Effectively, if a user has a certificate, he can only login to the 
server with that certificate, even though the server also allows 
logging in without a certificate.

Consider the case below, which I ran into yesterday :
- The user has a matching certificate, which as been revoked by the CA 
and is listed in the CA's CRL
- The server has the CA's CRL installed

When the user logs in to the server, forcibly selecting his client 
certificate, he gets a pop-up from the server saying "your client 
certificate has been revoked" (not sure of exact wording anymore, I 
would have to check). The problem is, he is unable to access the server 
at all, even though the client certificate isn't required by the 
server, but only requested !

The only workaround for the user at that point is to delete his revoked 
client certificate before he can login to the server. Once the 
certificate is deleted, the user no longer has any matching client 
certs, and Mozilla falls back to SSL without client auth, and all goes 
fine. Of course, this is a rather drastic workaround, and may not be 
desirable for example if this is a certificate living on a smartcard. 

My suggestion is to add a selection in the client cert pop-up list for 
"None" if the server set SSL_REQUEST_CERTIFICATE without setting 
SSL_REQUIRE_CERTIFICATE.

Note that this is only one of many justifications for having this 
"None" option. For privacy reasons, one may want to login to the site 
without client auth, if the server allows it. This isn't possible today 
if you have a client cert in your database or other token.
Priority: -- → P2
kai.
Assignee: ssaux → kaie
Target Milestone: --- → 2.3
Version: 1.01 → 2.3
I would add that the behavior Julien describes (where "cancel" aborts
the connection) appears to differ from Communicator 4.x's behavior
in that situation, where cancel seems to mean "continue without 
authenticating".  
Nelson,

Indeed. We should have a way to do both - either abort the connection or select 
no certificate, for servers allowing no certificate.
For servers requiring a certificate, only selecting a cert or aborting would be 
acceptable.
This is why I suggest putting a "No certificate" choice in the drop-down list of 
certs. That seems to make the most sense, at least to me. But perhaps a button 
("login without certificate") would be easier to understand for others. That 
button would have to only be shown if the server didn't set the require bit, 
though.

Re: my previous example from last night, tf the cert was on a smartcard, the 
user could conceivably remove it from his reader and then login to the server - 
provided he knows that it's possible. We don't tell the user whether the server 
accepts non client-auth connections.
And this is still not easily solvable for certs living in the database which 
would have to be deleted as a workaround ...

As far as the revoked cert case and server permitting no client auth but 
requesting the cert : usually, such servers will only allow the non-client auth 
connection in order to be able to send a customized error page for the missing 
certificate. This is much better than the browser pop-up dialog about having a 
revoked cert.

So, in that case, the user first logs in to the server with his revoked cert, 
and gets the "revoked" pop-up. With the new "none" feature, he can login again 
to the server with no certificate. The server will allow the non-client auth 
connection, and likely will display a "forbidden" page. That page conceivably 
could contain a pointer to the cert enrollment/renewal page or some contact 
information to get a valid certificate. This is much better than being stuck 
with a revoked cert and not being able to get in at all without deleting it.
FYI, the behavior I described is just what happens in NES when the server 
"requires" client auth. It never sets the SSL_REQUIRE_CERTIFICATE bit, only 
SSL_REQUEST_CERTIFICATE. So if the user logs in without the client certificate, 
the custom 403 error page is sent to the user.

*** Bug 32023 has been marked as a duplicate of this bug. ***
transfering dependency from duplicate
Depends on: 106730
Keywords: nsbeta1
Changing summary. The current behaviour of "Cancel" is to use no certificate.
Summary: Need to be able to choose "None" for client certificate selection → Add "None" button for client authentication, change cancel to cancel connection
Product: PSM → Core
changing obsolete psm* target to --- (unspecified)
Target Milestone: psm2.3 → ---
QA Contact: junruh → ui
Version: psm2.3 → 1.0 Branch
OS: Other → All
Version: 1.0 Branch → Trunk
Whiteboard: [psm-auth]
see also bug 32010 comment 13 [4.]
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Component: Security: UI → Security: PSM
Priority: P2 → P3
Whiteboard: [psm-auth] → [psm-auth][psm-clientauth]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.