Closed Bug 1582926 Opened 5 years ago Closed 5 years ago

SSL_ERROR_UNKNOWN_CA_ALERT on a two way SSL website with custom CA

Categories

(Core :: Security: PSM, defect)

71 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox71 --- affected

People

(Reporter: krzysztof.krason, Unassigned)

Details

Attachments

(1 file)

Attached file site.json

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

  1. Go to my company webmail site (or go to any other site of my employer that requires client certificate from me)

Actual results:

I see a page:
Secure Connection Failed

An error occurred during a connection to webmail.akamai.com. Peer does not recognize and trust the CA that issued your certificate.

Error code: SSL_ERROR_UNKNOWN_CA_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Expected results:

I should be authenticated using my certificate (two way ssl) and the website should let me in.

I have a custom CA upload for my employer but I think this is not being used on the web facing sites because I see that the website in question uses Let's Encrypt certificate that expires in December.

This was working in previous Nightly, after update to 71.0a1 (2019-09-20) it broke.
I don't know what was the previous nightly I assume 71.0a1 (2019-09-19).

Severity: normal → critical
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Component: Untriaged → Security: PSM
Product: Firefox → Core

Is Firefox asking you to select a client certificate? If not, what is the value of security.default_personal_cert in about:config?

Flags: needinfo?(krzysztof.krason)

No it is not asking, the value of security.default_personal_cert is Select Automatically

Flags: needinfo?(krzysztof.krason)

I made it work in my version, by removing cert8.db and cert9.db, and reimporting my certificate.
After such task I can finally log into my corporate websites.

So there is some issue maybe with converting old cert db to newer?

BTW. I had two exactly same client certificates, maybe that was causing the issue?

(In reply to krzysztof.krason from comment #5)

BTW. I had two exactly same client certificates, maybe that was causing the issue?

That's probably it. Bug 1573542 changed how Firefox enumerates available client certificates. Setting security.default_personal_cert to Select Automatically makes Firefox pick the "first" certificate it finds. Since the "first" certificate isn't the same one as before, Firefox isn't sending the same certificate, and the server is rejecting it.

Some thoughts: it's only an accident that this worked in the first place anyway. If your certificates were slightly different or if you had more of them, Firefox could have easily sent the "wrong" one before bug 1573542. Also, Select Automatically is a disaster for privacy. This makes Firefox automatically send information that uniquely identifies you to any server that asks, all without notifying you. It's going to be removed in the near future. Since you've found a way to make this work, I'm going to close this as "worksforme".

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME

Actually those were exactly the same certificates (same serial number, not sure how to check differences in other details).

As for Select Automatically, please don't remove it. "Everyone" (search stackoverflow.com, ask colleagues) hates how Chrome makes people click "OK" for the same certificate over and over for the same pages, Firefox behaves more sanely in that matter by allowing auto selection (disabling it won't increase security because most of the people would still just click "OK" in the dialog, but that would just annoy them not increase security). At least leave it as an option in about:config, please.

Maybe there is another option, e.g. have a list of hostnames that can Select Automatically given certificate.

Same Problem here. I also removed certX.db, but I'm no longer able to log into secured Webpages (Error code: SSL_ERROR_BAD_CERT_ALERT).
security.default_personal_cert=Ask Every Time , but it doesn't even ask.
I had no Problems over the last years.

There Server uses a company-authority which had been imported.
System: Ubuntu 18.04.3

Normally the Webserver tells the Client which certificates are acceptable, so it is possible to select a suitable one from the available.

openssl s_client -connect server:port
-> Acceptable client certificate CA names

What version of Firefox are you using?

Flags: needinfo?(ator)

71.0 (64-bit)
actual version from Ubuntu 18.04.3

firefox 71.0 downloaded from mozilla.org doesn't work either

So here are some more infos:

Without importing the Root-CA I get the Error: Warning: Potential Security Risk Ahead. If I accept the Exception I get: SSL_ERROR_BAD_CERT_ALERT
After importing the Root-CA I get directly: SSL_ERROR_BAD_CERT_ALERT. So the CA has been accepted.
After also importing Selfcreated Client-Cert: SSL_ERROR_BAD_CERT_ALERT

And I'm never asked about a Client Certificate.

Other Information:
We use a 4096Bit Server Certificate
Algorithm: RSA
Key Size: 4096

Connection Encrypted (TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2)

Fixed with Firefox 72 if you import your Client-certificate before accessing the Site. Otherwise you will get the annoying SSL_ERROR_BAD_CERT_ALERT error.
Firefox now select the correct Client-certificate is more than one is available.

Flags: needinfo?(ator)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: