SSL_ERROR_UNKNOWN_CA_ALERT on a two way SSL website with custom CA
Categories
(Core :: Security: PSM, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox71 | --- | affected |
People
(Reporter: krzysztof.krason, Unassigned)
Details
Attachments
(1 file)
29.26 KB,
application/json
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Steps to reproduce:
- Go to my company webmail site (or go to any other site of my employer that requires client certificate from me)
Actual results:
I see a page:
Secure Connection Failed
An error occurred during a connection to webmail.akamai.com. Peer does not recognize and trust the CA that issued your certificate.
Error code: SSL_ERROR_UNKNOWN_CA_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Expected results:
I should be authenticated using my certificate (two way ssl) and the website should let me in.
I have a custom CA upload for my employer but I think this is not being used on the web facing sites because I see that the website in question uses Let's Encrypt certificate that expires in December.
Reporter | ||
Comment 1•5 years ago
|
||
This was working in previous Nightly, after update to 71.0a1 (2019-09-20) it broke.
I don't know what was the previous nightly I assume 71.0a1 (2019-09-19).
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 2•5 years ago
|
||
It might be related with changes for https://bugzilla.mozilla.org/show_bug.cgi?id=1577822 those where done in 19th: https://hg.mozilla.org/mozilla-central/rev/2f369bea151cf274734899e7685f08d20914eed9
Updated•5 years ago
|
Is Firefox asking you to select a client certificate? If not, what is the value of security.default_personal_cert
in about:config
?
Reporter | ||
Comment 4•5 years ago
|
||
No it is not asking, the value of security.default_personal_cert is Select Automatically
Reporter | ||
Comment 5•5 years ago
|
||
I made it work in my version, by removing cert8.db and cert9.db, and reimporting my certificate.
After such task I can finally log into my corporate websites.
So there is some issue maybe with converting old cert db to newer?
BTW. I had two exactly same client certificates, maybe that was causing the issue?
(In reply to krzysztof.krason from comment #5)
BTW. I had two exactly same client certificates, maybe that was causing the issue?
That's probably it. Bug 1573542 changed how Firefox enumerates available client certificates. Setting security.default_personal_cert
to Select Automatically
makes Firefox pick the "first" certificate it finds. Since the "first" certificate isn't the same one as before, Firefox isn't sending the same certificate, and the server is rejecting it.
Some thoughts: it's only an accident that this worked in the first place anyway. If your certificates were slightly different or if you had more of them, Firefox could have easily sent the "wrong" one before bug 1573542. Also, Select Automatically
is a disaster for privacy. This makes Firefox automatically send information that uniquely identifies you to any server that asks, all without notifying you. It's going to be removed in the near future. Since you've found a way to make this work, I'm going to close this as "worksforme".
Reporter | ||
Comment 7•5 years ago
|
||
Actually those were exactly the same certificates (same serial number, not sure how to check differences in other details).
As for Select Automatically
, please don't remove it. "Everyone" (search stackoverflow.com, ask colleagues) hates how Chrome makes people click "OK" for the same certificate over and over for the same pages, Firefox behaves more sanely in that matter by allowing auto selection (disabling it won't increase security because most of the people would still just click "OK" in the dialog, but that would just annoy them not increase security). At least leave it as an option in about:config
, please.
Maybe there is another option, e.g. have a list of hostnames that can Select Automatically
given certificate.
Comment hidden (advocacy) |
Same Problem here. I also removed certX.db, but I'm no longer able to log into secured Webpages (Error code: SSL_ERROR_BAD_CERT_ALERT).
security.default_personal_cert=Ask Every Time , but it doesn't even ask.
I had no Problems over the last years.
There Server uses a company-authority which had been imported.
System: Ubuntu 18.04.3
Normally the Webserver tells the Client which certificates are acceptable, so it is possible to select a suitable one from the available.
openssl s_client -connect server:port
-> Acceptable client certificate CA names
What version of Firefox are you using?
Comment 11•4 years ago
|
||
71.0 (64-bit)
actual version from Ubuntu 18.04.3
Comment 12•4 years ago
|
||
firefox 71.0 downloaded from mozilla.org doesn't work either
So here are some more infos:
Without importing the Root-CA I get the Error: Warning: Potential Security Risk Ahead. If I accept the Exception I get: SSL_ERROR_BAD_CERT_ALERT
After importing the Root-CA I get directly: SSL_ERROR_BAD_CERT_ALERT. So the CA has been accepted.
After also importing Selfcreated Client-Cert: SSL_ERROR_BAD_CERT_ALERT
And I'm never asked about a Client Certificate.
Other Information:
We use a 4096Bit Server Certificate
Algorithm: RSA
Key Size: 4096
Connection Encrypted (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2)
Comment 13•4 years ago
|
||
Fixed with Firefox 72 if you import your Client-certificate before accessing the Site. Otherwise you will get the annoying SSL_ERROR_BAD_CERT_ALERT error.
Firefox now select the correct Client-certificate is more than one is available.
Description
•