1362079 - Display a more helpful error when a SSL handshake fails due to a client certificate

Status: NEW

(Firefox :: Security, enhancement, P3)

Description

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

When a server requests a client certificate, and Firefox does not send one (because it has none), and the handshake is closed by the server with an alert - it would be reasonable to believe the error is that the server requires a client cert (even if it is not saying so explicitly.)

Right now all we do is a generic "Secure Connection Failed" page, saying:

An error occurred during a connection to <address>. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.


It would be great to change this error message to suggest that a client certificate is required.  

It seems like it would also be worthwhile to change the error code to be more specific (for telemetry purposes) although I'm not 100% certain this nuance is not already captured.

Comment 1

[mozilla]

I'd like to second this. Chromium displays a helpful error message in this case.

Comment 2

[mozilla]

I'd like to second as well. Is it actually the case that firefox cannot distinguish missing client certificates from other TLS handshake errors? I connected with openssl s_client to such a host. After the server certificate, it prints:

Acceptable client certificate CA names
/C=[...]/CN=[...]/emailAddress=[...]
Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Cheers, Ari

Comment 4

[Daniel Holbert [:dholbert]]

I just ran into this myself when helping a friend to investigate an issue she was hitting.  In my case, the affected page is:
  https://citrixaccesspiv.va.gov/

Firefox shows a generic error page with text described in comment 0 here. In contrast, Chrome has this much more useful / follow-up-able text:
>  citrixaccesspiv.va.gov didn’t accept your login certificate, or one may not have been provided.
>  ERR_BAD_SSL_CLIENT_AUTH_CERT

Comment 5

[Manish [:manishkk]]

:wennie
I can update this error message.
can you suggest message?

Comment 6

[Johann Hofmann [:johannh]]

I think the first step here is to understand what SSL_ERROR_HANDSHAKE_FAILURE_ALERT means, in Firefox terms. If this covers more than just missing client certs, we may either need to find a way to single those out in their own error code or word the error in a way that it is more understandable but also covers the other possibilities. Once we know this we can ask someone from UX to help us with the copy.

Dana, can you provide some insights on the above? :)

Thanks!

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

My understanding is that SSL_ERROR_HANDSHAKE_FAILURE_ALERT means the TLS server we're trying to connect to terminated the handshake early. We don't necessarily know why (in theory the server could just be "eh, I don't feel like it"), but in practice users tend to encounter this only when the server was expecting a client certificate and didn't get one. In fact, if we note when a server asks for a client certificate and the user either doesn't have one or doesn't pick one, we could be more confident that this is why the server closed the connection (this would best be done in a separate bug).
Assuming we had that confidence, we could certainly show a better error message like:

<site> asked Firefox to provide a login certificate, but you don't have any (in the case where they don't have any usable client certificate)

<site> asked Firefox to provide a login certificate, but you didn't select one (in the case where they have client certificates but chose not to send one)

<site> didn't accept the login certificate you selected (in the case where they chose one but the server closed the connection anyway)

If we aren't confident the issue is due to client certificates, we could say something more generic like:

<site> closed the connection when Firefox tried to connect to it

Comment 8

[Manish [:manishkk]]

I misunderstood, I thought only need to update this error message.

The page you are trying to view cannot be shown because the authenticity
of the received data could not be verified.
Please contact the website owners to inform them of this problem.


It would be great to change this error message to suggest that a client
certificate is required.

Comment 9

[Finlay Campbell]

When encountering a SSL handshake failure due to a client certificate, it would be beneficial to display a more informative error message to assist users in troubleshooting the issue. This could include details such as the specific reason for the failure, any potential solutions or next steps the user can take, and possibly references to relevant documentation or support resources.
Additionally, it's essential to ensure that the error message is clear and concise, avoiding technical jargon whenever possible to make it more accessible to users who may not be familiar with SSL handshakes and client certificates. By providing a more helpful error message in such scenarios, users can better understand the problem they're facing and take appropriate actions to resolve it, ultimately improving their overall experience with the application. As for the manga error, it seems like there might be an issue with SSL handshake failures due to a client certificate. It would be beneficial to display a more informative error message to assist users in understanding and resolving this issue effectively.

Comment 10

[Adam7]

In the realm of online car auctions, ensuring secure transactions is paramount. However, encountering an SSL handshake failure due to a client certificate can be frustrating and confusing for users. Just you visit https://auto-auctions.co/ and get more ways about best cars. Implementing a more informative error message in such instances not only enhances user experience but also fosters trust and transparency. It's a small yet significant step towards smoother transactions and happier customers in the digital car marketplace.