Closed Bug 1441189 Opened 7 years ago Closed 6 years ago

security.enterprise_roots.enabled set to true will break TLS Client Authentication

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: u606864, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180206200532 Steps to reproduce: Import an TLS Client Certificate to Firefox ESR 52.6.0 and to the Microsoft Certificate-Store and set security.enterprise_roots.enabled to true. Actual results: TLS client certificate authentication mechanism will be broken. Neither the Firefox nor the Windows Certificate-Store will be used to read client certificates and an Handshake error will appear. Expected results: Firefox should read the one of those store to provide TLS client authentication
Affected System: User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Version: 52.6.0 Build ID: 20180118122319
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 I have tested this issue on Ubuntu 16.04 x64 and Windows 10 x64 with the latest Firefox release (58.0.2) and the latest Nightly (60.0a1-20180301024724) and haven't managed to reproduce the issue. After opening the browser and logging into facebook, when opening multiple tabs with different facebook pages, TLS client certificate authentication mechanism didn't broke. Can you please retest this using the latest Firefox release and latest Nightly build and report back the results? (You can download the latest Nightly build from here https://goo.gl/57dpxn) When doing this, please use a new clean Firefox profile, maybe even safe mode, to eliminate custom settings as a possible cause (https://goo.gl/AR5o9d).
Flags: needinfo?(bugzilla.mmacha)
I'm not sure how to test this issue, however, I am going to assign the "NSS: Libraries" component for it and hopefully someone with more knowledge in this area will a look over this. In the meantime could you please retest this using the latest Firefox release and latest Nightly build and report back the results? (You can download the latest Nightly build from here https://goo.gl/57dpxn) When doing this, please use a new clean Firefox profile, maybe even safe mode, to eliminate custom settings as a possible cause (https://goo.gl/AR5o9d).
Assignee: nobody → nobody
Component: Untriaged → Libraries
Product: Firefox → NSS
Version: 52 Branch → other

This seems odd, as the enterprise roots mechanism shouldn't affect NSS/Necko's client auth at all. Probably this is not reproducible, but it belongs in PSM. Moving there for PSM triage.

Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: jjones
Version: other → unspecified
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.