Closed Bug 1588703 Opened 5 years ago Closed 5 years ago

Firefox fails with SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT if a certificate for site is signed in added CA

Categories

(Core :: Security: PSM, defect)

71 Branch
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: krzysztof.krason, Unassigned, NeedInfo)

Details

Attachments

(6 files)

1.73 KB, application/x-x509-ca-cert
Details
972 bytes, application/x-x509-ca-cert
Details
10.07 KB, application/x-pcapng
Details
10.27 KB, application/x-pcapng
Details
11.50 KB, application/x-pcapng
Details
9.21 KB, application/x-pcapng
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

  1. Install a new corporate CA
  2. Install a certificate signed by that authority
  3. Go website that requires mentioned certificate and has own signed by the mentioned CA.

Actual results:

I see empty page and in developer tools in network traffic I see an exclamation mark in red circle and on the right side I see error: SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT

Expected results:

I should be able to use that site because I have the appropriate certificates and CA.

It works in curl like this:

curl -v --cert-type P12 --cert my-key.p12 --cacert ~my-CA.crt https://www.website.com

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Is your client certificate listed in about:preferences -> search for certificates -> click View Certificates -> click Your Certificates?
Also, what is the value of the about:config preference security.default_personal_cert?
Your user agent says Firefox 71 - is that what you're running?
Did this work in earlier versions of Firefox?
Thanks!

Flags: needinfo?(krzysztof.krason)

Yes, the certificate exists in "Your certificates"

security.default_personal_cert is set to true

Yes, I'm using Nightly 71, I don't know if the problem existed before because I entered the new cert just recently.

BTW. I also have another certificate in Your certificates that I used for majority of corporate websites, only one website should use the different cert. Is that a problem with automatic selection of certificates?

Flags: needinfo?(krzysztof.krason)

I disabled autoselection of certificates and still have this problem.
I think this is not the issue with mine cert, but more with the webistes and the CA.

E.g. when I don't pass my own cert to curl, I will get HTTP 401, so in Firefox I should also see 401 in such case, but Firefox fails to validate website certificate somehow even when I provide it with the CA where it was registered.

Can you attach a packet trace of the TLS handshake as well as the CA that you've installed? (Also, how did you install it?)

Flags: needinfo?(krzysztof.krason)
Attached file 1.crt
Attached file 2.crt

I attached two CAs (it looks like to my ignorant eyes that one is parent of the other, if that is possible).

As for packet trace of TLS handshake, do you know how to do it the easiest way? If not then I'll look around wireshark how to do that.

I installed CA by using import in the Certificate Manager (Preferences -> Privacy & Security -> View certificates -> Authorities -> Import).

Also, when I sorted the requests I see that there is a request to host1 that fails with SSL_ERROR_UNKNOWN_CA_ALERT and after that requests to host2 that fail with SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT.

Attached file curl to host 1
Attached file curl to host 2
Attached file firefox to host 1
Attached file firefox to host 2

I've added packet traces in wireshark format. For both curl and Firefox talking to host 1 and host 2.

Flags: needinfo?(krzysztof.krason)

Thanks! When you disabled auto-selection, which certificate did you select to send to the server?

Flags: needinfo?(krzysztof.krason)

I selected the correct one for the connection, (the one that has same issuer as one of the CA - 1.crt).

But the connection to "host 2" should also work even without the user certificate, in that case it should return just a 403 with a message in the body (tested with curl).

Flags: needinfo?(krzysztof.krason)

Here's what I'm seeing in those packet traces:

curl/host1 - certificate sent with email kmi@akamai.com
curl/host2 - certificate sent with email kmi@akamai.com
firefox/host1 - certificate sent with email kkrason@akamai.com
firefox/host2 - certificate sent with email kkrason@akamai.com

If you use curl to send the kkrason@akamai.com certificate, do you see the same error?

Flags: needinfo?(krzysztof.krason)

I use multiple self-signed user certificates for authentication and I see the same problem: self-signed certificates are not correctly chosen automatically since 70.0 (windows 64bit).

As far as I can see, if automatic Certificate selection is enabled, first certificate from the available certificates list always gets chosen regardless of the site I'm connecting to. So if i'm connecting to a site requiring first available certificate, connection happens as expected and there is no SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT error.

If I disable automatic Certificate selection and choose required certificate manually, connection proceeds as expected.

@Dana Keeler, you are right it somehow selected the wrong certificate if it was set to "select automatically" and when I first tried it I also selected wrong one (they have same identity name, so I assumed that in the dialog box it would focus on the correct one at first, but that's not the case - a bug?) and when I selected the correct certificate I got a different error: SEC_ERROR_UNKNOWN_ISSUER

I'll try next without any certificate, because such case should work also (with the 403 as I mentioned above) and I'll provide the traces for that, maybe you'll see what's wrong there.

Hmm, it looks like it is working.
Here is what I did:

  1. Disabled autoselect of certificate (still didn't work when I selected correct one)
  2. Removed all certificates
  3. Restart
  4. Went to the test page, it asked me to accept unknown issuer (which is strange because I have it in my CAs), I approved
  5. Saw that I get 403
  6. Imported my test certificate (which I need to acccess the test page).
  7. Again went to the test page - it worked (recognized me)
  8. Imported the main certificate.
  9. Went to the main website (which requires main certificate for some URLs and test certificate for others) and it worked.
Flags: needinfo?(krzysztof.krason)

Hmm, it looks like it is working.
Here is what I did:

  1. Disabled autoselect of certificate (still didn't work when I selected correct one)
  2. Removed all certificates
  3. Restart browser
  4. Went to the test page, it asked me to accept unknown issuer (which is strange because I have it in my CAs), I approved
  5. Saw that I get 403
  6. Imported my test certificate (which I need to acccess the test page).
  7. Again went to the test page - it worked (recognized me)
  8. Imported the main certificate.
  9. Went to the main website (which requires main certificate for some URLs and test certificate for others) and it worked.

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)

Can you try with the latest version of Nightly? (https://www.mozilla.org/en-US/firefox/channel/desktop/)

Flags: needinfo?(dkeeler) → needinfo?(krzysztof.krason)

You mean trying to set "Select automatically" again?
Right now I select certificates manually (and it is a PITA), but I noticed that it correctly suggests the correct certificate this time. I don't know if Firefox remembers the previously selected one or not.

Either way I did "Select automatically" and it works now also. But I'm not sure if this is a fix in latest nightlies or my steps that I described fixed it.

Should I try it with a fresh profile or should I assume this is fixed?

Flags: needinfo?(krzysztof.krason)

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)

Whatever you did originally to encounter the bug, if you could do that again to confirm it's fixed, that would be great - thanks!

Flags: needinfo?(dkeeler) → needinfo?(krzysztof.krason)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: