Firefox fails with SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT if a certificate for site is signed in added CA
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: krzysztof.krason, Unassigned, NeedInfo)
Details
Attachments
(6 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0
Steps to reproduce:
- Install a new corporate CA
- Install a certificate signed by that authority
- Go website that requires mentioned certificate and has own signed by the mentioned CA.
Actual results:
I see empty page and in developer tools in network traffic I see an exclamation mark in red circle and on the right side I see error: SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT
Expected results:
I should be able to use that site because I have the appropriate certificates and CA.
It works in curl like this:
curl -v --cert-type P12 --cert my-key.p12 --cacert ~my-CA.crt https://www.website.com
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•5 years ago
|
||
Is your client certificate listed in about:preferences
-> search for certificates
-> click View Certificates
-> click Your Certificates
?
Also, what is the value of the about:config
preference security.default_personal_cert
?
Your user agent says Firefox 71 - is that what you're running?
Did this work in earlier versions of Firefox?
Thanks!
Reporter | ||
Comment 3•5 years ago
|
||
Yes, the certificate exists in "Your certificates"
security.default_personal_cert
is set to true
Yes, I'm using Nightly 71, I don't know if the problem existed before because I entered the new cert just recently.
BTW. I also have another certificate in Your certificates
that I used for majority of corporate websites, only one website should use the different cert. Is that a problem with automatic selection of certificates?
Reporter | ||
Comment 4•5 years ago
|
||
I disabled autoselection of certificates and still have this problem.
I think this is not the issue with mine cert, but more with the webistes and the CA.
E.g. when I don't pass my own cert to curl, I will get HTTP 401, so in Firefox I should also see 401 in such case, but Firefox fails to validate website certificate somehow even when I provide it with the CA where it was registered.
Comment 5•5 years ago
|
||
Can you attach a packet trace of the TLS handshake as well as the CA that you've installed? (Also, how did you install it?)
Reporter | ||
Comment 6•5 years ago
|
||
Reporter | ||
Comment 7•5 years ago
|
||
Reporter | ||
Comment 8•5 years ago
|
||
I attached two CAs (it looks like to my ignorant eyes that one is parent of the other, if that is possible).
As for packet trace of TLS handshake, do you know how to do it the easiest way? If not then I'll look around wireshark how to do that.
Reporter | ||
Comment 9•5 years ago
|
||
I installed CA by using import in the Certificate Manager (Preferences -> Privacy & Security -> View certificates -> Authorities -> Import).
Also, when I sorted the requests I see that there is a request to host1 that fails with SSL_ERROR_UNKNOWN_CA_ALERT and after that requests to host2 that fail with SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT.
Reporter | ||
Comment 10•5 years ago
|
||
Reporter | ||
Comment 11•5 years ago
|
||
Reporter | ||
Comment 12•5 years ago
|
||
Reporter | ||
Comment 13•5 years ago
|
||
I've added packet traces in wireshark format. For both curl and Firefox talking to host 1 and host 2.
Comment 14•5 years ago
|
||
Thanks! When you disabled auto-selection, which certificate did you select to send to the server?
Reporter | ||
Comment 15•5 years ago
|
||
I selected the correct one for the connection, (the one that has same issuer as one of the CA - 1.crt).
But the connection to "host 2" should also work even without the user certificate, in that case it should return just a 403 with a message in the body (tested with curl).
Comment 16•5 years ago
|
||
Here's what I'm seeing in those packet traces:
curl/host1
- certificate sent with email kmi@akamai.com
curl/host2
- certificate sent with email kmi@akamai.com
firefox/host1
- certificate sent with email kkrason@akamai.com
firefox/host2
- certificate sent with email kkrason@akamai.com
If you use curl
to send the kkrason@akamai.com
certificate, do you see the same error?
Comment 17•5 years ago
|
||
I use multiple self-signed user certificates for authentication and I see the same problem: self-signed certificates are not correctly chosen automatically since 70.0 (windows 64bit).
As far as I can see, if automatic Certificate selection is enabled, first certificate from the available certificates list always gets chosen regardless of the site I'm connecting to. So if i'm connecting to a site requiring first available certificate, connection happens as expected and there is no SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT error.
If I disable automatic Certificate selection and choose required certificate manually, connection proceeds as expected.
Reporter | ||
Comment 18•5 years ago
|
||
@Dana Keeler, you are right it somehow selected the wrong certificate if it was set to "select automatically" and when I first tried it I also selected wrong one (they have same identity name, so I assumed that in the dialog box it would focus on the correct one at first, but that's not the case - a bug?) and when I selected the correct certificate I got a different error: SEC_ERROR_UNKNOWN_ISSUER
I'll try next without any certificate, because such case should work also (with the 403 as I mentioned above) and I'll provide the traces for that, maybe you'll see what's wrong there.
Reporter | ||
Comment 19•5 years ago
|
||
Hmm, it looks like it is working.
Here is what I did:
- Disabled autoselect of certificate (still didn't work when I selected correct one)
- Removed all certificates
- Restart
- Went to the test page, it asked me to accept unknown issuer (which is strange because I have it in my CAs), I approved
- Saw that I get 403
- Imported my test certificate (which I need to acccess the test page).
- Again went to the test page - it worked (recognized me)
- Imported the main certificate.
- Went to the main website (which requires main certificate for some URLs and test certificate for others) and it worked.
Reporter | ||
Comment 20•5 years ago
|
||
Hmm, it looks like it is working.
Here is what I did:
- Disabled autoselect of certificate (still didn't work when I selected correct one)
- Removed all certificates
- Restart browser
- Went to the test page, it asked me to accept unknown issuer (which is strange because I have it in my CAs), I approved
- Saw that I get 403
- Imported my test certificate (which I need to acccess the test page).
- Again went to the test page - it worked (recognized me)
- Imported the main certificate.
- Went to the main website (which requires main certificate for some URLs and test certificate for others) and it worked.
Comment 21•5 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 22•5 years ago
|
||
Can you try with the latest version of Nightly? (https://www.mozilla.org/en-US/firefox/channel/desktop/)
Reporter | ||
Comment 23•5 years ago
|
||
You mean trying to set "Select automatically" again?
Right now I select certificates manually (and it is a PITA), but I noticed that it correctly suggests the correct certificate this time. I don't know if Firefox remembers the previously selected one or not.
Either way I did "Select automatically" and it works now also. But I'm not sure if this is a fix in latest nightlies or my steps that I described fixed it.
Should I try it with a fresh profile or should I assume this is fixed?
Comment 24•5 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 25•5 years ago
|
||
Whatever you did originally to encounter the bug, if you could do that again to confirm it's fixed, that would be great - thanks!
Updated•5 years ago
|
Description
•