Closed Bug 1602714 Opened 5 years ago Closed 5 years ago

Client SSL Certificate not sent through to NGINX since Firefox 71. No certificate prompt

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
71 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1601227

People

(Reporter: roland.rieseberg, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0

Steps to reproduce:

Imported custom Client Certificate "PFX" format via Certificate Manager->Your Certificates.

Enabled SSL Client Certificate verification in NGINX config.

NGINX CONFIG SNIPPET

server {
listen 80;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;

location ^~ /.well-known { 
    allow all; 
    root /data/letsencrypt/; 
} 

include /etc/nginx/conf.d/cert/letsencrypt.conf; 

# client certificate 
ssl_client_certificate /etc/ssl/certs/ca.crt; 
ssl_verify_client on; 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_prefer_server_ciphers on; 
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 
ssl_ecdh_curve secp384r1; 
ssl_session_cache shared:SSL:10m; 
ssl_session_tickets off; 
# Disable preloading HSTS for now.  You can use the commented out header line that includes 
# the "preload" directive if you understand the implications. 
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; 
add_header X-Frame-Options DENY; 
add_header X-Content-Type-Options nosniff; 
client_max_body_size 500M; 

# Hiding broadcasting the nginx version 
server_tokens  off; 
fastcgi_param  SERVER_SOFTWARE    nginx; 

#Set resolved to point to internal docker network resolved 
resolver 127.0.0.11 ipv6=off;

=============================================

Access website and receive the following message. "Usually I get prompted to authenticate via client certificate"

400 Bad Request
No required SSL certificate was sent
nginx

Thee client SSL certificate was sent through with previous versions of Firefox prior to version 71. Installed Firefox Developers edition v72 and the same thing happens.

Chrome and other main stream browsers work as expected. The client certificate authentication has been in place for over 2 years now and always worked as expected.

Actual results:

Since Firefox updated to version 71 our client SSL certificate is no longer sent through to NGINX and get message BAD REQUEST, No required SSL certificate was sent. No prompt is appearing to select a certificate.

Expected results:

Prior to version 71 we've received a prompt to select a certificate. Selected certificate and all was working. Was able to access website.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.