Closed Bug 1605170 Opened 2 years ago Closed 2 years ago

Client certificate authentication broken in FF 71

Categories

(Core :: Security: PSM, defect)

71 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1601227

People

(Reporter: mail, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

Preconditions:

  1. Client certificate signed by a private CA installed in Firefox.

  2. Webserver, where only some locations are secured by client certificate authentication. The CA root certificate is installed on the server. In my case I am using Apache http 2.4 with the following additional configuration for secured pages:

    SSLCACertificateFile /appdata/ssl/ca/clientcert_cas.pem
    <Location /secured>
    SSLVerifyDepth 10
    SSLVerifyClient require
    </Location>

Actual results:

When opening an unsecured webpage on the server via https, everything is ok (so SSL is generally working).
But when opening a secured page, since FF 71 the browser is reporting the following error code without asking for the installed client certificate:

SSL_ERROR_HANDSHAKE_FAILURE_ALERT

Expected results:

The browser should ask for a client certificate and then open the secured web page as do previous FF versions and other browsers like Chrome, Edge or IE.

Additional info: On the server side the following information is logged:

Re-negotiation handshake failed
SSL Library Error: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate -- No CAs known to server for verification?

Component: Untriaged → Security: PSM
Product: Firefox → Core

Do you see the same behavior in Firefox 72? (currently beta: https://www.mozilla.org/en-US/firefox/channel/desktop/ )

Flags: needinfo?(mail)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #2)

Do you see the same behavior in Firefox 72? (currently beta: https://www.mozilla.org/en-US/firefox/channel/desktop/ )

In FF 72 it is working again. The browser asks for the client certificate - and after choosing the correct certificate the secured page is loaded and displayed correctly.

Flags: needinfo?(mail)

Great - thanks!

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1601227
You need to log in before you can comment on or make changes to this bug.