Closed Bug 1603202 Opened 5 years ago Closed 3 years ago

Client side certificate deprecation notice

Categories

(Web Compatibility :: Site Reports, defect, P3)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: joakim.rosqvist, Unassigned, NeedInfo)

References

(Regression)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

I tried to fetch a new certificate for connection to my bank, as the old one had expired. The bank then informs me that they no longer will support certificates with firefox due to changes in version 69 of firefox. I asked them what changes they were talking about and they said "we [the certificate issuer] can no longer control into which certificate-container a downloaded certificate is to be installed".
Not finding anything about certificates in the release-notes of firefox 69, I don't know of this is a bug or an intentional change. Reporting in the vain hope that the bank might change their minds about supporting firefox if a future version restores the previous behavior.

Hi, joakim.rosqvist!

Thanks for your contribution!

I have seen other bugs about certificates so far, and currently, I'm not being able to check certs at the moment. I assume this issue is related to a new about:certificate view work that it's being done right now.

I will add product and component to keep track of this.

Regards,

Component: Untriaged → Security
Flags: needinfo?(joakim.rosqvist)

This is probably the result of the keygen removal in Firefox 69. I'm not sure if we're tracking the reactions from websites for web compat, but moving the bug there on suspicion. Otherwise this would be a WONTFIX, I'm afraid.

(We'd probably need the name of the site in question, too).

Component: Security → Desktop
Product: Firefox → Web Compatibility
Regressed by: 1315460
Summary: choosing container for certificate download → Client side certificate deprecation notice
Version: 69 Branch → unspecified

Website where problem occurred: https://login.skandia.se/?client_id=i_web_individual_short#tab-Certificate

Flags: needinfo?(joakim.rosqvist)

Joakim, does this issue still happen?

Flags: needinfo?(joakim.rosqvist)

Tried (using Firefox 76.0.1) to download a certificate from my bank. The resulting page still says they're not supporting certificates with firefox because of a change in version 69. I suppose they're only checking the version number and not the functionality. Has anything changed between v69 and v76 that would again make it possible for the certificate-issuer to control into which certificate-container a downloaded certificate is to be installed?

Flags: needinfo?(joakim.rosqvist)

Johann mentioned we removed keygen in 69, but I don't know enough about this area to actually answer your specific question. Johann?

Also, I wonder if it works if you spoof as Chrome (to verify they're just checking UA string)

Flags: needinfo?(jhofmann)
Severity: normal → S2
Priority: -- → P3

Tried spoofing my firefox 76/linux as Chrome 83 for windows. I was then allowed to download a .p12 certificate file, but it cannot be imported into firefox as a password is required for that and the download process did not provide one or include a step where I could define one.

Dana might have more up to date knowledge on client certs and keygen removal

Flags: needinfo?(jhofmann) → needinfo?(dkeeler)

Yes, keygen was removed. However, Chrome has also removed keygen, so I think the question is, how does this website work with Chrome?

Flags: needinfo?(dkeeler) → needinfo?(joakim.rosqvist)

Unfortunately I'm not able to test the issue since it is a banking site and valid credentials are required for sign in.
https://prnt.sc/10i6rxm

According to SSL Labs:
https://prnt.sc/10i6vna

Tested with:
Browser / Version: Firefox Nightly 88.0a1 (2021-03-09)
Operating System: Windows 10 Pro

Joakim Rosqvist can you still reproduce the issue?

Status: UNCONFIRMED → NEW
Ever confirmed: true

Needs Triage.

Flags: needinfo?(raul.bucata)
Flags: needinfo?(oana.arbuzov)

I was not able to reproduce the issue since this requires valid credentials for sign-in purposes. Test account creation requires valid data

Tested with:

Browser / Version: Firefox Nightly 92.0a1 (2021-07-13) (64-bit)
Operating System: Windows 10 PRO x64

Suggestion: Try clearing cache/data/cookies, disable addons and Ad-blocker (if available), or use a clean profile, and check again? If there are any changes made to the default settings of the browser (e.g. in about: config) please revert to the default settings and try again. Also, have the required cookies been accepted for this page? Also, is the issue reproducible with the latest build of Firefox Nightly?

Flags: needinfo?(raul.bucata)
Flags: needinfo?(oana.arbuzov)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.