Open Bug 1362079 Opened 8 years ago Updated 2 months ago

Display a more helpful error when a SSL handshake fails due to a client certificate

Categories

(Firefox :: Security, enhancement, P3)

Product:
Firefox
Component:
Security
Type:
enhancement

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

When a server requests a client certificate, and Firefox does not send one (because it has none), and the handshake is closed by the server with an alert - it would be reasonable to believe the error is that the server requires a client cert (even if it is not saying so explicitly.) Right now all we do is a generic "Secure Connection Failed" page, saying: An error occurred during a connection to <address>. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. It would be great to change this error message to suggest that a client certificate is required. It seems like it would also be worthwhile to change the error code to be more specific (for telemetry purposes) although I'm not 100% certain this nuance is not already captured.
Severity: normal → enhancement
Priority: -- → P3
I'd like to second this. Chromium displays a helpful error message in this case.
I'd like to second as well. Is it actually the case that firefox cannot distinguish missing client certificates from other TLS handshake errors? I connected with openssl s_client to such a host. After the server certificate, it prints: Acceptable client certificate CA names /C=[...]/CN=[...]/emailAddress=[...] Client Certificate Types: RSA sign, DSA sign, ECDSA sign Cheers, Ari
I just ran into this myself when helping a friend to investigate an issue she was hitting. In my case, the affected page is: https://citrixaccesspiv.va.gov/ Firefox shows a generic error page with text described in comment 0 here. In contrast, Chrome has this much more useful / follow-up-able text: > citrixaccesspiv.va.gov didn’t accept your login certificate, or one may not have been provided. > ERR_BAD_SSL_CLIENT_AUTH_CERT
Assignee: nobody → 1991manish.kumar
:wennie I can update this error message. can you suggest message?
Flags: needinfo?(wleung)
Flags: needinfo?(jhofmann)

I think the first step here is to understand what SSL_ERROR_HANDSHAKE_FAILURE_ALERT means, in Firefox terms. If this covers more than just missing client certs, we may either need to find a way to single those out in their own error code or word the error in a way that it is more understandable but also covers the other possibilities. Once we know this we can ask someone from UX to help us with the copy.

Dana, can you provide some insights on the above? :)

Thanks!

Flags: needinfo?(wleung)
Flags: needinfo?(jhofmann)
Flags: needinfo?(dkeeler)

My understanding is that SSL_ERROR_HANDSHAKE_FAILURE_ALERT means the TLS server we're trying to connect to terminated the handshake early. We don't necessarily know why (in theory the server could just be "eh, I don't feel like it"), but in practice users tend to encounter this only when the server was expecting a client certificate and didn't get one. In fact, if we note when a server asks for a client certificate and the user either doesn't have one or doesn't pick one, we could be more confident that this is why the server closed the connection (this would best be done in a separate bug).
Assuming we had that confidence, we could certainly show a better error message like:

<site> asked Firefox to provide a login certificate, but you don't have any (in the case where they don't have any usable client certificate)

<site> asked Firefox to provide a login certificate, but you didn't select one (in the case where they have client certificates but chose not to send one)

<site> didn't accept the login certificate you selected (in the case where they chose one but the server closed the connection anyway)

If we aren't confident the issue is due to client certificates, we could say something more generic like:

<site> closed the connection when Firefox tried to connect to it

Flags: needinfo?(dkeeler)

I misunderstood, I thought only need to update this error message.

The page you are trying to view cannot be shown because the authenticity
of the received data could not be verified.
Please contact the website owners to inform them of this problem.


It would be great to change this error message to suggest that a client
certificate is required.
Assignee: 1991manish.kumar → nobody
Severity: normal → S3

restricting comments because this has become a spam-magnet.

Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.