Closed Bug 1583802 Opened 5 years ago Closed 5 years ago

Expired client certificate considered by automatic selection

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
71 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1569159

People

(Reporter: zao, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

I have two client certificates with the same subject and issuer, one of which has expired early this year and one which has a few months to go still.

When I visit a site that requires client certificates the expired certificate may be chosen and some of the website can subsequently not be reached.

Actual results:

The expired certificate is often automatically used and the connection cannot complete.

The target website has frames and depending on which certificate is picked for individual frames, some of them succeed.

Expected results:

An expired certificate should probably not be a candidate for automatic selection, to reduce the risk of a failed connection.

I know I could just delete stale certificates, if it wasn't for bug 1583067 which currently prevents certificate deletions :D

Hi Lars Viklund,

Thanks for submitting this bug to us.

I will need a favour from you: would you be so kind to give us more precise repro steps? It will also help me a lot to know on which websites you have this error and, if you can and if it's not private information, what certificates are you using?

Thanks!

Sebastian

Flags: needinfo?(zao)

I have two certificates installed in my Firefox, both from the same issuer and with the same subject. One has expired early this year, one is still valid. The certificates have distinct serials and fingerprints.

Firefox is configured to "Select one automatically" for "When a server requests your personal certificate".

When I visit a website that requires a client certificate to complete the handshake like our https://support.snic.se/ , the expired certificate may be selected automatically by Firefox, and the handshake will fail reporting SSL_ERROR_EXPIRED_CERT_ALERT. It doesn't seem 100% deterministic, as with one internal website I do not wish to disclose, I can sometimes get the initial frameset to load but not most of the panes in it.

In order to reproduce this problem, you would need to have a server that would accept your DN, and populate your client with two similar certificates out of which one has expired.

My certificates are Grid Premium client certificates from Digicert. We use them to authenticate against internal and organizational websites.

The internal server sends a list of "acceptable client certificate CA names", the more public one I linked above does not. Both exhibit the problem.

I do not wish to disclose my subject in public, but the issuer is /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3.

Flags: needinfo?(zao)

Hi Lars Viklund,

Thanks for your comment. Sadly I don't have the neccesary enviroment to properly test this bug but I will add a Product and a Component so one of our Devs can take a look at this.

Thanks!

Sebas

Status: UNCONFIRMED → NEW
Component: Untriaged → Security: PSM
Ever confirmed: true
Product: Firefox → Core

What is the value of the preference security.default_personal_cert in about:config?

Flags: needinfo?(zao)

about:config seems to have gotten fancy recently and just displays the string "Select Automatically", which matches the human-readable preferences option I use, "Select one automatically".

If I instead go for "Ask you every time", I get the certificate picker dialog where I get to pick between my two installed certificates, both the valid and the expired one.

Flags: needinfo?(zao)

Interesting - "Select Automatically" is not the default because, as you've seen, it can result in the wrong certificate getting sent. We're actually going to remove it soon.
Sounds like this is "worksforme", then?

Flags: needinfo?(zao)

It's not a "worksforme". "Select one automatically" is still broken with expired certificates present.

I strongly desire to use "select one automatically" for several reasons. Its removal would be very unfortunate. "Ask you every time" is a painful temporary workaround, not a solution.

"Ask you every time" has several strong detriments:

  1. it pops UI that completely blocks the window it shows for;
  2. even though you can interact with other browser windows - they cannot load any sites while the certificate choice UI is open.
  3. it shows even if you have a single certificate, or multiple certificates of which only some are listed as acceptable by the target site,
  4. accidentally dismissing the dialog bricks the site for the remainder of the session, necessitating a restart.

Restarting the browser is a chore with "Ask you every time", as a work session has several dozens of tabs open leveraging client certificates, and if you accidentally dismiss it, you need to start the process all over again.

Flags: needinfo?(zao)

You could always delete the other certificate (bug 1583067 has been fixed).

(In reply to Lars Viklund from comment #7)

  1. it pops UI that completely blocks the window it shows for;

Yes, it would be nice if it weren't modal.

  1. even though you can interact with other browser windows - they cannot load any sites while the certificate choice UI is open.

This is probably a consequence of bug 696976.

  1. it shows even if you have a single certificate, or multiple certificates of which only some are listed as acceptable by the target site,

Firefox doesn't know what the peer will consider acceptable.

  1. accidentally dismissing the dialog bricks the site for the remainder of the session, necessitating a restart.

We're doing work on that in bug 1569159, which should give the ability both to remember decisions across sessions and to change those decisions without restarting the browser.

The reason why "select automatically" is not the default and why we're going to remove it in the future is because it's a disaster for privacy. Right now you're silently sending a persistent, unique identifier to any server that asks (see e.g. https://community.ebay.co.uk/t5/Technical-Issues/LuckyRetail-com-requesting-my-personal-certificate-on-eBay-web/td-p/6142885/page/2 ).

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

On 1 - I did see that it was just recently fixed but kept my browser state in case I needed to test something about this bug.

On 3 - I see that you elaborate on CertificateRequest's list of certificate_authorities over in https://bugzilla.mozilla.org/show_bug.cgi?id=1267643#c3, a bit unfortunate that it doesn't seem overly usable.

On 4 - I understand the motivation now for why you would like to get rid of what apparently is a privacy intrusion, but please keep in mind us that use client certificates in our everyday work.

Here's hoping that work on 1569159 and the rest of the bugs around this goes smoothly, thanks for your patience with this bug. :)

You need to log in before you can comment on or make changes to this bug.