Incorrect SSL_ERROR_HANDSHAKE_FAILURE_ALERT
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: glenn, Unassigned, NeedInfo)
Details
Attachments
(4 files)
Show the different views for the client SSL in V70 and V71
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Steps to reproduce:
We use a Client SSL controlled internal site for a CRM system. We upgrade from Firefox v70.0.3 to v71. We checked the server SSL and it's not set to expire until June 6th 2020 and the client SSL is set to match.
I then removed the Client SSL and re imported it. The problem persisted. We then rolled back to v70.0.3 and the problem went away.
When in v71 when you try to view the client SSL you get a "Something Went Wrong" message. Where v70 can view it just fine.
Actual results:
We went to access the internal site after Firefox updated. Then received a SSL_ERROR_HANDSHAKE_FAILURE_ALERT. By what i'm seeing there is a problem with the cert db and retrieving client ssl's from it.
Expected results:
Site should have pulled up like normal.
|
||
Updated•4 years ago
|
Can you attach packet traces of the TLS handshake with Firefox 70 and 71? Thanks!
Thanks! It looks like Firefox 71 doesn't consider your client certificate to be a good one to use. Did this work before version 70? Also, can you attach the public part (not the private key) of the certificate to this bug?
Yes The exact same certificate works just fine in v70 and older versions, but only stops working in v71.
So it looks like the client certificate that you're trying to use is marked as a certificate authority (i.e. it can issue other certificates). Client certificates shouldn't be CAs - can you try again but with a certificate that doesn't have the CA field set to true in the basicConstraints section?
Description
•