skip self-signed intermediate certificates that aren't trust anchors in path building

RESOLVED FIXED in Firefox 69



2 months ago
Last month


(Reporter: stigmh, Assigned: keeler)


66 Branch

Firefox Tracking Flags

(firefox69 fixed)


(Whiteboard: [psm-assigned])


(2 attachments)



2 months ago
Posted file fftls.tar.gz

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:


  1. Configure NGINX server with self-signed certificate and self-generated Diffie-Hellman. This is done through Docker and the attached script.

  2. Visit server through HTTPS

  3. Cancel the docker image with Ctrl+C; Script deletes and regenerates self-signed certificate, DH, and start new Docker instance.

Repeat 2-3 until complete hang. Same issue happens without server side Docker and on a Fedora client.

Actual results:

Firefox eventually fails to load the server's page claiming it is "Performing TLS handshake"; it hangs. I have to kill Firefox through process manager. Seems like cert9.db in profile catalog somehow becomes corrupt as deleting it resolves the issue.

Expected results:

Page should load normally; no weird delay or hang. Brave (Chromium) and MS Edge are not affected.

Component: Untriaged → Security: PSM
Product: Firefox → Core

As a workaround you can clear the certificates that have accumulated in your certificate database (cert9.db) either using certutil or by just deleting the file.

The solution from bug 1056341 isn't flexible enough to really work given the wide range in how powerful peoples' devices are.

Assignee: nobody → dkeeler
Priority: -- → P1
Summary: TLS Handshake hang when server changes certificates → skip self-signed intermediate certificates that aren't trust anchors in path building
Whiteboard: [psm-assigned]

In bug 1056341 we introduced a search budget to mozilla::pkix to attempt to work
around the problem of having an extremely large search space given a set of
certificates all with the same subject and issuer distinguished names but
different public keys. In the end, though, there is probably no good value to
choose for the budget that is small enough to run quickly on the wide range of
hardware our users have and yet is large enough that we're confident won't break
someone's complicated pki setup (looking at you, the US federal government).

To address this, use the observation that as long as an intermediate can't add
information necessary to build a certificate chain (e.g. stapled SCTs), we
should never need a self-signed intermediate (as in, its own key verifies the
signature on it and its subject and issuer distinguished names are identical) to
build a trusted chain (since the exact same chain without that intermediate
should be valid). Given this, we simply skip all self-signed non-trust anchor
CA certificates during path building.

Ever confirmed: true

Comment 3

Last month
Pushed by
avoid searching unproductive certificate paths during verification r=jcj,KevinJacobs

Comment 4

Last month
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.