i'm italian, i've strange authentication problems on public administration portals with smart card

UNCONFIRMED
Unassigned

Status

()

Core
Security: PSM
UNCONFIRMED
23 days ago
3 days ago

People

(Reporter: Claudio, Unassigned)

Tracking

56 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(14 attachments)

(Reporter)

Description

23 days ago
Created attachment 8923334 [details]
errore handshake TLS  Mozilla at INPS.png

User Agent: Mozilla/5.0 (Windows NT 10.0; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171024165158

Steps to reproduce:

Excuse me for my bad english ..
I'm a fireman and the department gave me a card ... card work fine with internet explorer and i can access to all portals of italian government (card have also digital sign)
1. browsing web with Mozilla and smart card login cause a problem ...
2. preliminary login allow navigation - i operate this: menu OPTIONS> PRIVACY & SECURITY> SECURITY DEVICES> 
and on the left column MODULES AND SECURITY DEVICES, i choose the device
ARUBA_ATE> ATE>  (these are my device and card)
thus i have login (after this, i've login to the portals...!!!)


Actual results:

1. operate as the previous point 1, it freeze all (navigation) on login to a public administration portal ... see image attached file ... it freeze all on executing TLS handshake at ...
2. operate as the previous point 2, with preliminary login to the card, Firefox allow acces to the portals ... (I can't post more of 1 image ... i've other picture of me logged in to the portals...)


Expected results:

have login by normal browsing
normal browsing do not allow login ... login by normal browsing will cause freeze all browsing (new tab or new sites) ... browser do not crash, i have access to option and other menĂ¹ ...
With internet explorer i have regulary login to the portals, so card and certificates are fine !!!
by deactivate Kaspersky Antivirus and delete all cookies and temporary file the problem still the same...
How can i post more pictures ? Thanks.

Updated

22 days ago
Component: Untriaged → Security: PSM
Product: Firefox → Core
Thank you for filing this bug. A few questions:

Does your device do protected authentication? That is, does it provide its own window that you use to log in or do you just type a password/pin into a window that Firefox opens?

When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up?

Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging?

Thanks!

You should be able to add more attachments (pictures) by clicking the "Attach File" link above comment 0.
Flags: needinfo?(scncld66)
(Reporter)

Comment 2

21 days ago
Many thanks to you and excuse me for my bad english...
- Does your device do protected authentication? RE: yes, i've to digit a PIN
- When your browsing freezes, do other things like Firefox menus freeze as well? Is the entire browser locked up? RE: No, i can operate menĂ¹, add new tabs ecc... however navigation freeze ... i can't acces to other website ... also in a new tab or window.
- Are there any reports in about:crashes (you may have to copy/paste that or manually type it into a new tab) that were created as a result of Firefox hanging? RE: no, i've no message or report ... the browser freezes for a long time so i close the browser ... Now I will keep open browser for more time than I'll let you know....
I try to attach pictures files step by step on freeze (normal login) procedure ... I hope they are useful
Thank you again
Flags: needinfo?(scncld66)
(Reporter)

Comment 3

20 days ago
Created attachment 8924322 [details]
setp 1

step1 - login to the portal
(Reporter)

Comment 4

20 days ago
Created attachment 8924324 [details]
login2.jpg

step 2 - choice of login method, password, pin or smartcard ... then login
(Reporter)

Comment 5

20 days ago
Created attachment 8924326 [details]
step 3

step 3 - PIN request
(Reporter)

Comment 6

20 days ago
Created attachment 8924327 [details]
step 4

step 4 - Choice of certificate... the only one possible and the right one !!!
(Reporter)

Comment 7

20 days ago
Created attachment 8924328 [details]
step 5

step 5 - TLS handshake and browser freezing !!! no navigation !!!
(Reporter)

Comment 8

20 days ago
Created attachment 8924329 [details]
step 6

step 6 - add new tab ... also in the new tab navigation is freezed ...
browser UI is ok !!! .. now i'm waiting for a message or a report ...
(Reporter)

Comment 9

20 days ago
Created attachment 8924330 [details]
step 7 ... the last step ... i lost patience !!!

step 7 - 30 minutes later the browser still frozen ... then i close the window and the browser ... No error message and no report !!!!
(Reporter)

Comment 10

20 days ago
these are the steps of my attempt to login ...
thank you very much....
(Reporter)

Comment 11

20 days ago
hi there ...
I managed to make a video of my screen, where it shows the preliminary login and the next access to the portal !!!
you can find the video here ... http://www.scandella.org/login.m4v
thank you very much ....
Thanks! In that video, it seems you have two PKCS#11 modules loaded - one called "Aruba_Ate" and another called "Athena PKCS#11 Module". Are you sure you need both of those? It looks like they might be managing the same physical device ("Generic Usb Smart Card Reader 0"), which could cause problems. Maybe try removing the "Athena" module? (although first make a note of its path so you can add it back if necessary)
Flags: needinfo?(scncld66)
(Reporter)

Comment 13

20 days ago
Athena PKCS#11 Module is another module ... it's needed for another CNS card of the National Medical Service ...
now I'm going to remove it, then i do a reset of my PC then i try again to login ...

Thank you...
Flags: needinfo?(scncld66)
(Reporter)

Comment 14

20 days ago
i confirm that, removing the module my new smartcard work fine !!!! ... i've login....
i try'd to load the module and assign it a different name but the problem still again...
the only one way is remove the module ...

why appears module conflict ???
why the module conflict freeze Firefox navigations ? ... also the one in a new tab ???
how can i avoid module conflict ?

why on internet explorer no problems appear than Firefox ?
can Firefox developers optimize the code ?

Thanks...
Without knowing what specifically is causing the lockup, it would be hard to fix. One thing you could try is to get Firefox to freeze again and then following the steps at https://superuser.com/questions/678054/force-firefox-to-crash-or-trick-firefox-into-thinking-it-has-crashed-on-windows#answer-678426 to make Firefox crash (note that this will crash firefox, so save all of your work first). Then, after opening up Firefox again there should hopefully be a link in about:crashes that may tell me more about what's going on.

I believe Internet Explorer uses the underlying OS-level APIs, so it avoids using these libraries alltogether, so it works better.
Flags: needinfo?(scncld66)
(Reporter)

Comment 16

18 days ago
I tried to perform the forced Mozilla Firefox crash ...

Taskkill /IM firefox.exe /F does not work .... Firefox recover perfectly the session and the opened tabs ...

The Mozilla tool at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe  work fine ...

I'm going to post the generated report file named "crash report mozilla firefox.txt" and the popup's printscreen

(also i sent the report to Mozilla from the popup windows) 

Thank you...
Flags: needinfo?(scncld66)
(Reporter)

Comment 17

18 days ago
Created attachment 8925235 [details]
crash firefox report.jpg
(Reporter)

Comment 18

18 days ago
Created attachment 8925236 [details]
crash report mozilla firefox.txt
Is there a corresponding link in about:crashes? That will link to https://crash-stats.mozilla.com , which presents the report in a way that's much easier to decipher.
Flags: needinfo?(scncld66)
(Reporter)

Comment 20

14 days ago
what do you mean for "about:crashes"?
i've got only "details..."  button ("dettagli..." in italian language... see picture) on the crash popup ... see next posted picture ...
content of "details..." popup is identically the content of the next posted txt file ... i can't find no link on it...
i've no other web page when i go to restart mozilla (i've already  sayd this)... "Firefox recover perfectly the session and the opened tabs".
Thanks.
Flags: needinfo?(scncld66)
(Reporter)

Comment 21

14 days ago
Created attachment 8926417 [details]
FF crash,  no link supplied after this.png
(Reporter)

Comment 22

14 days ago
Created attachment 8926419 [details]
LOG - crash firefox - last 20171108_160000.txt

i can't find no link in it...

i've no other web page when i go to restart mozilla (i've already  sayd this)... "Firefox recover perfectly the session and the opened tabs".
(Reporter)

Comment 23

14 days ago
UPDATE:
the next posted txt file is the content of popup in the "Firefox natural crash..."
excuse me for my bad english ... the popup appears about 3 minutes after i've closed the frozen Firefox window...
so it's not necessary to operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe
i hope it's usefull ...
Thank...
(Reporter)

Comment 24

14 days ago
Created attachment 8926426 [details]
crash firefox - last 20171108_163000.txt
Sorry - I wasn't being clear. If you open Firefox again and type "about:crashes" (without the quotes) into the urlbar, you should get a page that lists the crash reports Firefox has collected. I imagine the most recent few are from when you've used crashfirefox. If you copy/paste those links, I might be able to get a better idea of what's going on when Firefox locks up.
(Reporter)

Comment 26

14 days ago
oh...!!! it's all right !!!

thank you .... i've just done it ...

some Firefox crashes was caused by ebay navigations...
i've eliminated all the logs then i've done again a Firefox crash (with the card use)...

here the link ...
https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108

seem that Firefox contact the wrong module (asepkcs.dll instead of bit4xpki.dll), also if the browser show the the right one certificate ...

i wait for news ... thank you.
(Reporter)

Comment 27

14 days ago
i'm stunned ...

seem that Firefox contact asepkcs.dll also if i do preliminary login to the card, than i've access to the portal ...

later i operate a forced crash using the tool "crashfirefox.exe" at http://archive.mozilla.org/pub/utilities/crashfirefox-intentionally/crashfirefox.exe

here the log....

https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108


LOGS BRIEF:

log for no access and natural crash: https://crash-stats.mozilla.com/report/index/bp-21c8dbd9-6b74-4cca-a305-ad1ab1171108


log for preliminary login to the card, then login to the portal, logout and crash forced using the tool "crashfirefox.exe": https://crash-stats.mozilla.com/report/index/bp-cfdd0ec9-8dc0-4613-a634-b58cc1171108

thank you.
(In reply to Claudio from comment #27)
> seem that Firefox contact asepkcs.dll also if i do preliminary login to the
> card, than i've access to the portal ...

If I understand what you're saying, I think the reason this is happening is Firefox is trying to construct the client certificate chain that it sends to the server. Because it doesn't necessarily know which module the issuing certificate for the client certificate is on, it tries them all.

We've made some recent changes to how we handle PKCS#11 modules, but it hasn't made it to release yet - would you mind trying to reproduce the hang with Nightly? ( https://www.mozilla.org/en-US/firefox/channel/desktop/#nightly )
(Reporter)

Comment 29

13 days ago
Is Nightly a new special version of Firefox browser?
Yes, Nightly is where new development happens on Firefox. Every 6 weeks or so changes from Nightly go to Beta and the previous Beta gets released as a new version of Firefox.
(Reporter)

Comment 31

13 days ago
I've downloaded and installed Nightly ...

problems are the same ... (identically)

you can find the Nightly browser report here : https://crash-stats.mozilla.com/report/index/bp-d9d1798f-1c0f-49eb-9ebd-f80270171109

there is a special test page on the certifications authority website that make a report of certificate and test the communication ... internet explorer work fine there
I'm going to post the printscreen of this test page with internet explorer browser ...

i've tryed to make the test with Nightly browser ... it crash again and you can find the crash report here: https://crash-stats.mozilla.com/report/index/bp-61034391-a6e1-48c5-89af-49c390171109

i think there is wrong data that are sent by Firefox and Nightly browsers to certification authority...
(again ... with preliminary login to the card, i've login to the portal !!! .... so on the preliminary login phase, Firefox send right data to the certification authority) 

i think you have to search for difference between these two procedure (on web browsing login and preliminary login to the card)

thanks.
(Reporter)

Comment 32

13 days ago
Created attachment 8927003 [details]
certification authority test page with internet explorer.png
Franziskus, any idea how we might be deadlocking at security/nss/lib/pki/tdcache.c:897? See the socket thread in each of the crash reports from comment 31.
Flags: needinfo?(franziskuskiefer)
The only way I can see how this could deadlock is when there's another thread racing for the lock. The way the problem is described it sounds like one of the two PK11 modules somehow lock the cache in a weird way so that one doesn't release properly. If we had a PK11 test framework, we might be able to reproduce and test this. Without, I'm not sure how proceed as I don't see an obvious code path that could trigger this.
Flags: needinfo?(franziskuskiefer)
(Reporter)

Comment 35

5 days ago
Many thanks to all...
waiting for news ... Meanwhile I will be forced to use internet explorer :(
Well, you could raise this issue to the manufacturers of the smartcards you're using. Unfortunately I don't think there's much we'll be able to do on our end, short of bug 1396030.
(Reporter)

Comment 37

3 days ago
but this is absurd ... paper and certificates work well !!! also the portals work fine ....
Mozilla handles login badly ...

Pre login to the card = correct data are sent
browsing login = wrong data is sent ...

sorry but i'm disappointed ...
(Reporter)

Comment 38

3 days ago
* but this is absurd ... smart card and certificates work well !!!
You need to log in before you can comment on or make changes to this bug.