Closed Bug 1602207 Opened 4 years ago Closed 4 years ago

Self-signed client certificates are no longer offered to choose in Firefox 71 - they were in Firefox 70

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
71 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1601227

People

(Reporter: juergen, Unassigned)

Details

Attachments

(4 files)

JuergenWagner.pkcs12
4.25 KB, application/octet-stream
Details
JuergenWagner.pem
2.06 KB, application/octet-stream
Details
JuergenWagner.key
3.19 KB, application/octet-stream
Details
JuergenWagner.info
4.76 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

Create a self-signed client certificate with key length 4096 bits, SHA256 signature, and an expiration date in the future. Load the certificate into the certificate store of Firefox 70 or 71 (Windows 10). Access a web-site that will not offer hints as to which certificate authorities are valid, but will accept the certificate I have just generated because it is permitted. This is actually an NGINX using ssl_trusted_certificate instead of the ssl_client_certificate directive. Something changed in the interpretation of certificates between Firefox 70 and 71. A downgrade to Firefox 70 returned everything to normal. After an upgrade to Firefox 71, the wrong behaviour is restored.

Actual results:

Under Firefox 70, the list of certificates offered to authenticate will include the self-signed certificate. Under Firefox 71, it will not. In fact, when I go into the certificate viewer, Firefox 71 claims the certificate is invalid or broken, while Firefox 70 is able to properly display it.

Expected results:

The available certificates should be offered for authentication.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Can you share an example certificate that doesn't work in 71? Thanks!

Flags: needinfo?(juergen)
Attached file JuergenWagner.pkcs12
Flags: needinfo?(juergen)
Attached file JuergenWagner.pem
Attached file JuergenWagner.key
Attached file JuergenWagner.info

I have attached four files: pkcs12, pem, key and the certificate info in clear text.
These are throwaway certificates of the sort I use. The key is without a password.
You may import the pkcs12 into Firefox and place the .pem file in a web server as a trusted client certificate.
This certificate works in Firefox 70, it is declared broken in Firefox 71. In consequence, I guess, Firefox does not care to offer me this certificate when I am expected to present one to a web site. Therefore, I believe the core problem to be in the certificate store or the way certificates are read from there. Re-importing does not help.

Thanks! Did this work in earlier versions (before 70)?

Flags: needinfo?(juergen)

Same Problem here. We are using self-signed client certificates for our customers to access our servers. Some customers updated to Version 71 and now they cannot access the servers anymore. Firefox behaves like there are no client certificates installed.
With Version 70.0.1 everything worked fine. I tested from my machine with version 68.3.0 and it worked as expected. After upgrading to Version 71 I got the same behavior as our customers.

Addition:
The client certificates are not marked as broken in my case. We are using p12-files as client certificate.
We are using this approach since many years and had no problems. Other Browsers like Chrome or Edge are still working as expected.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #7)

Thanks! Did this work in earlier versions (before 70)?

Yes this worked in versions before 70 and in version 70. Something broke in version 71.

Flags: needinfo?(juergen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: