consider enabling TLS 1.3 post-handshake authentication if/when NSS implements it

RESOLVED FIXED in Firefox 68

Status

()

defect
P5
normal
RESOLVED FIXED
6 months ago
a month ago

People

(Reporter: candrews, Assigned: ueno)

Tracking

63 Branch
mozilla68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox68 fixed)

Details

(Whiteboard: [psm-blocked])

Attachments

(1 attachment)

(Reporter)

Description

6 months ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

Go to a URL that requires TLS 1.3 post-handshake authentication.

This can be tested by using Apache 2.4.37 (or later) ensuring that TLS 1.3 is enabled (which it is by default if OpenSSL 1.1 is used to build Apache), and using "SSLVerifyClient require" inside of a Location or Directory section. For example:
---
SSLCACertificateFile /etc/ssl/DoD_CAs.pem
SSLOCSPEnable on
<Directory /var/www/localhost/htdocs/cac>
        SSLOptions +StrictRequire
        SSLRequireSSL
        SSLVerifyClient require
        SSLVerifyDepth  10
        SSLOptions +FakeBasicAuth
</Directory>
---
See https://bz.apache.org/bugzilla/show_bug.cgi?id=62975 for this issue being reported in Apache (which is invalid; the problem is in Firefox).

Please feel free to test this behavior at https://www.integralblue.com/testhandshake/


Actual results:

An Apache error page is generated with this text:
---
You don't have permission to access /testhandshake/ on this server.
Reason: Cannot perform Post-Handshake Authentication.
---


Expected results:

Firefox should have performed client certificate authentication (such as asking for the PIN for my smartcard).
(Reporter)

Comment 1

6 months ago
The same issue occurs in Chrome; this issue has been reported to Chromium at https://bugs.chromium.org/p/chromium/issues/detail?id=911653
Component: Untriaged → Security: PSM
Product: Firefox → Core
(Assignee)

Updated

5 months ago
See Also: → 1471970
Depends on: 1471970
Priority: -- → P5
See Also: 1471970
Summary: TLS 1.3: cannot perform post-handshake authentication → consider enabling TLS 1.3 post-handshake authentication if/when NSS implements it
Whiteboard: [psm-blocked]
(Assignee)

Updated

3 months ago
Depends on: 1532312
(Assignee)

Comment 2

a month ago

This adds a config option to enable client authentication through the TLS 1.3 post-handshake auth mechanism.

Comment 3

a month ago
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1bb8ad865648
enable TLS 1.3 post-handshake authentication r=keeler

Comment 4

a month ago
bugherder
Status: UNCONFIRMED → RESOLVED
Last Resolved: a month ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → dueno
You need to log in before you can comment on or make changes to this bug.