be more efficient about finding new certificates for users who have 1000s of client certificates
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox75 | --- | fixed |
People
(Reporter: ipickering2, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(13 files)
155.80 KB,
image/png
|
Details | |
28.25 KB,
image/png
|
Details | |
21.02 KB,
image/png
|
Details | |
6.81 KB,
image/png
|
Details | |
13.45 KB,
image/png
|
Details | |
13.75 KB,
image/png
|
Details | |
23.41 KB,
image/png
|
Details | |
18.48 KB,
image/png
|
Details | |
24.37 KB,
image/png
|
Details | |
33.10 KB,
image/png
|
Details | |
716.18 KB,
text/plain
|
Details | |
511.15 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Steps to reproduce:
- Go to login.microsoft.com.
- Enter an account that requires smartcard authentication.
- Choose "Use a smartcard or PIN" on the dialog that opens after signing in with a password.
Actual results:
This error appears, and there is no choice of certificates/smartcard to use like there is in Chrome.
An error occurred
No valid client certificate found in the request. No valid certificates found in the user's certificate store. Please try again choosing a different authentication method.
Expected results:
There should have been a popup menu displaying the list of certificates to use, and I should be able to select my smartcard from them.
Reporter | ||
Comment 1•4 years ago
|
||
Also reported at https://github.com/webcompat/web-bugs/issues/47735. They asked me to file a bug report here.
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
If you use Nightly (https://www.mozilla.org/en-US/firefox/channel/desktop/) and set the preference security.osclientcerts.autoload
to true
in about:config
, does it work?
Reporter | ||
Comment 3•4 years ago
|
||
I enabled the option and tried to login. At the point where the certificate list should show up the browser froze (with the Not Responding title) although the CSS animation kept updating. Then I force closed the process and tried to disable the option and this caused an immediate crash, so it seems I can't disable it. This is on the latest Nightly.
Assignee | ||
Comment 4•4 years ago
|
||
Are there any crash reports in about:crashes? Can you link them here?
Reporter | ||
Comment 5•4 years ago
|
||
No, there are no crash reports that appear there.
Assignee | ||
Comment 6•4 years ago
|
||
When Firefox freezes, can you use Process Explorer to see what's on Firefox's call stack?
Reporter | ||
Comment 7•4 years ago
|
||
Reporter | ||
Comment 8•4 years ago
|
||
Reporter | ||
Comment 9•4 years ago
|
||
Reporter | ||
Comment 10•4 years ago
|
||
I attached the stack information for Firefox. Hopefully this is what you need.
Also, I left an instance of Nightly running overnight when it hanged at the certificate selection stage and eventually it succeeded and showed the list of certificates. However it was missing the certificate I use for smartcard authentication, so I couldn't proceed.
Reporter | ||
Comment 11•4 years ago
|
||
Reporter | ||
Comment 12•4 years ago
|
||
Assignee | ||
Comment 13•4 years ago
|
||
Thanks! Can you do that again, but only with threads that are in osclientcerts.dll
?
Reporter | ||
Comment 14•4 years ago
|
||
This is the stack during the Firefox hang.
Reporter | ||
Comment 15•4 years ago
|
||
This is the stack once the message window is reached.
Reporter | ||
Comment 16•4 years ago
|
||
Also if I choose any certificate at the certificate list and proceed, it will say the page load timed out as if it was a network timeout issue, probably because it takes so long to load the window.
Reporter | ||
Comment 17•4 years ago
|
||
I checked again and it seems like the stack is changing very frequently, it seems like it's doing a lot of work in a loop.
Reporter | ||
Comment 18•4 years ago
|
||
Reporter | ||
Comment 19•4 years ago
|
||
Assignee | ||
Comment 20•4 years ago
|
||
Thanks! Does it behave differently if you use Firefox 73?
Reporter | ||
Comment 21•4 years ago
|
||
No, there is no difference in behavior.
Assignee | ||
Comment 22•4 years ago
|
||
Can you run Firefox in a terminal with the environment variable RUST_LOG
set to osclientcerts=debug
and attach the debugging output here as a text file?
Reporter | ||
Comment 23•4 years ago
|
||
Attached. I could only capture 9999 lines since I was unable to redirect the output to a file (using -attach-console
) and that's the maximum buffer size the Powershell settings permits.
Also I should mention that capturing the debug output was way harder than I thought it would be. First the output wouldn't even show up unless I used a specific shortcut to the Powershell prompt (it doesn't appear in ISE). The program doesn't seem to write to stdout when I use -attach-console
even though it prints everything so I couldn't redirect it to a file in cmd or PowerShell, and it ignored set RUST_LOG=osclientcerts=debug
unless I set it in System Preferences (probably because it spawns a new process with a different env). It also seemed to ignore -foreground
and kept running in the background anyway. Setting MOZ_LOG_FILE
ends up in all the logs being empty even though it still prints everything on the console.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 24•4 years ago
|
||
Thanks - can you try again with RUST_LOG
set to osclientcerts/found
?
Reporter | ||
Comment 25•4 years ago
|
||
Attached. I had to use osclientcerts=debug/found
to get any output.
Assignee | ||
Updated•4 years ago
|
Comment 26•4 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 27•4 years ago
|
||
Thanks! It looks like we need to re-work how we look for new client certs.
Assignee | ||
Comment 28•4 years ago
|
||
Before this, every time NSS wanted to open a new session (C_OpenSession),
osclientcerts would look for new client certificates/keys in the OS store. It
turns out, NSS wants to open new sessions often, so this was slow. This patch
adds a timestamp to the manager and ensures that it searches for new objects no
more than once every 3 seconds.
Additionally, this patch adds the optimization that if NSS tries to search for
PKCS#11 objects with attributes that osclientcerts doesn't support,
osclientcerts returns an empty search early, rather than enumerating every
object and finding no matches.
In the future we may need to be smarter about how we match objects during
searches. Rather than iterating through every object, we could build lookup
tables that would be much more time efficient.
Comment 29•4 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/254080484266 search for new client certificates/keys in osclientcerts no more than once every 3 seconds r=kjacobs
Comment 30•4 years ago
|
||
bugherder |
Reporter | ||
Comment 31•4 years ago
|
||
Thanks for fixing this.
Assignee | ||
Comment 32•4 years ago
|
||
Sure thing - is the latest Nightly working for you?
Reporter | ||
Comment 33•4 years ago
|
||
The issue with the dialog taking a long time to load is fixed, but in the dialog the physical smartcard certificate I use does not appear. I filed a new bug for this issue. https://bugzilla.mozilla.org/show_bug.cgi?id=1617000
Description
•