Closed Bug 1610644 Opened 2 years ago Closed 2 years ago

be more efficient about finding new certificates for users who have 1000s of client certificates


(Core :: Security: PSM, enhancement, P1)

72 Branch



Tracking Status
firefox75 --- fixed


(Reporter: ipickering2, Assigned: keeler)


(Blocks 1 open bug)


(Whiteboard: [psm-assigned])


(13 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

Steps to reproduce:

  1. Go to
  2. Enter an account that requires smartcard authentication.
  3. Choose "Use a smartcard or PIN" on the dialog that opens after signing in with a password.

Actual results:

This error appears, and there is no choice of certificates/smartcard to use like there is in Chrome.

An error occurred
No valid client certificate found in the request. No valid certificates found in the user's certificate store. Please try again choosing a different authentication method.

Expected results:

There should have been a popup menu displaying the list of certificates to use, and I should be able to select my smartcard from them.

Also reported at They asked me to file a bug report here.

Component: Untriaged → Security: PSM
Product: Firefox → Core

If you use Nightly ( and set the preference security.osclientcerts.autoload to true in about:config, does it work?

Flags: needinfo?(ipickering2)

I enabled the option and tried to login. At the point where the certificate list should show up the browser froze (with the Not Responding title) although the CSS animation kept updating. Then I force closed the process and tried to disable the option and this caused an immediate crash, so it seems I can't disable it. This is on the latest Nightly.

Flags: needinfo?(ipickering2)

Are there any crash reports in about:crashes? Can you link them here?

Flags: needinfo?(ipickering2)

No, there are no crash reports that appear there.

Flags: needinfo?(ipickering2)

When Firefox freezes, can you use Process Explorer to see what's on Firefox's call stack?

Flags: needinfo?(ipickering2)
Flags: needinfo?(ipickering2)

I attached the stack information for Firefox. Hopefully this is what you need.

Also, I left an instance of Nightly running overnight when it hanged at the certificate selection stage and eventually it succeeded and showed the list of certificates. However it was missing the certificate I use for smartcard authentication, so I couldn't proceed.

Thanks! Can you do that again, but only with threads that are in osclientcerts.dll?

Flags: needinfo?(ipickering2)

This is the stack during the Firefox hang.

Flags: needinfo?(ipickering2)

This is the stack once the message window is reached.

Also if I choose any certificate at the certificate list and proceed, it will say the page load timed out as if it was a network timeout issue, probably because it takes so long to load the window.

I checked again and it seems like the stack is changing very frequently, it seems like it's doing a lot of work in a loop.

Thanks! Does it behave differently if you use Firefox 73?

Flags: needinfo?(ipickering2)

No, there is no difference in behavior.

Flags: needinfo?(ipickering2)

Can you run Firefox in a terminal with the environment variable RUST_LOG set to osclientcerts=debug and attach the debugging output here as a text file?

Flags: needinfo?(ipickering2)
Attached file firefox.log

Attached. I could only capture 9999 lines since I was unable to redirect the output to a file (using -attach-console) and that's the maximum buffer size the Powershell settings permits.

Also I should mention that capturing the debug output was way harder than I thought it would be. First the output wouldn't even show up unless I used a specific shortcut to the Powershell prompt (it doesn't appear in ISE). The program doesn't seem to write to stdout when I use -attach-console even though it prints everything so I couldn't redirect it to a file in cmd or PowerShell, and it ignored set RUST_LOG=osclientcerts=debug unless I set it in System Preferences (probably because it spawns a new process with a different env). It also seemed to ignore -foreground and kept running in the background anyway. Setting MOZ_LOG_FILE ends up in all the logs being empty even though it still prints everything on the console.

Flags: needinfo?(ipickering2)
Attachment #9124177 - Attachment mime type: application/octet-stream → text/plain

Thanks - can you try again with RUST_LOG set to osclientcerts/found?

Flags: needinfo?(ipickering2)
Attached file firefox.2.log

Attached. I had to use osclientcerts=debug/found to get any output.

Flags: needinfo?(ipickering2)
Attachment #9125218 - Attachment mime type: application/octet-stream → text/plain

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)
Flags: needinfo?(dkeeler)
Priority: -- → P2
Summary: Cannot use smartcard authentication with Microsoft login → be more efficient about finding new certificates for users who have 1000s of client certificates
Whiteboard: [psm-backlog]

Thanks! It looks like we need to re-work how we look for new client certs.

Assignee: nobody → dkeeler
Type: defect → enhancement
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]

Before this, every time NSS wanted to open a new session (C_OpenSession),
osclientcerts would look for new client certificates/keys in the OS store. It
turns out, NSS wants to open new sessions often, so this was slow. This patch
adds a timestamp to the manager and ensures that it searches for new objects no
more than once every 3 seconds.

Additionally, this patch adds the optimization that if NSS tries to search for
PKCS#11 objects with attributes that osclientcerts doesn't support,
osclientcerts returns an empty search early, rather than enumerating every
object and finding no matches.

In the future we may need to be smarter about how we match objects during
searches. Rather than iterating through every object, we could build lookup
tables that would be much more time efficient.

Pushed by
search for new client certificates/keys in osclientcerts no more than once every 3 seconds r=kjacobs
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

Thanks for fixing this.

Sure thing - is the latest Nightly working for you?

Flags: needinfo?(ipickering2)

The issue with the dialog taking a long time to load is fixed, but in the dialog the physical smartcard certificate I use does not appear. I filed a new bug for this issue.

Flags: needinfo?(ipickering2)
You need to log in before you can comment on or make changes to this bug.