Closed Bug 1611521 Opened 5 years ago Closed 5 years ago

TLS 1.3 post-handshake authentication still does not work when smartcard does not support RSA-PSS

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1588941

People

(Reporter: 1983-01-06, Assigned: kjacobs)

References

Details

Attachments

(7 files, 2 obsolete files)

firefox-pha3-pdu.pcap
11.94 KB, application/octet-stream
Details
keylog.txt
10.62 KB, application/octet-stream
Details
firefox-soft-pha-pdu.pcap
106.27 KB, application/octet-stream
Details
soft-keylog.txt
4.48 KB, application/octet-stream
Details
firefox-esr-pha-pdu.pcap
12.16 KB, application/octet-stream
Details
firefox-esr-keylog.txt
7.16 KB, application/octet-stream
Details
curl-soft.trace
479.20 KB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

After 1511989 I expected TLS 1.3 PHA to work. Tried with 68.4.2esr (20200117153614) and 74.0a1 (20200122094859).

Note that TLS 1.2 (max version 3) works perfectly with renegotiation with my smartcard.

So I have set security.tls.enable_post_handshake_auth to true. Configured mod_ssl on Apache 2.4.41 with OpenSSL 1.1.1 with TLS 1.3 to perform the folling in my public_html/.htaccess:
SSLVerifyClient optional
SSLVerifyDepth 3
SSLUserName SSL_CLIENT_SAN_Email_0
Require valid-user

Actual results:

Apache requests Firefox to perform PHA then Firefox says:
Error code: SEC_ERROR_LIBRARY_FAILURE

httd-error.log says:
[Fri Jan 24 22:51:34.420101 2020] [ssl:info] [pid 2294] [client 167.87.35.99:52368] AH01964: Connection to child 2 established (server deblndw011x.ad001.siemens.net:443)
[Fri Jan 24 22:51:44.334625 2020] [ssl:warn] [pid 2294] [client 167.87.35.99:52368] AH02227: Failed to set r->user to 'SSL_CLIENT_SAN_Email_0'
[Fri Jan 24 22:51:44.334682 2020] [auth_gssapi:info] [pid 2294] [client 167.87.35.99:52368] NO AUTH DATA Client did not send any authentication headers
[Fri Jan 24 22:51:44.334766 2020] [ssl:info] [pid 2294] [client 167.87.35.99:52368] AH02006: SSL handshake stopped: connection was closed
[Fri Jan 24 22:51:44.334782 2020] [ssl:info] [pid 2294] [client 167.87.35.99:52368] AH01998: Connection closed to child 2 with abortive shutdown (server deblndw011x.ad001.siemens.net:443)

But this perfectly works with curl:

===============
$ curl --verbose -I https://deblndw011x.ad001.siemens.net/~osipovmi/tls-auth/phpinfo.php --trace-ascii - -E pair.pem
Warning: --trace-ascii overrides an earlier trace/verbose option
== Info: Uses proxy env variable NO_PROXY == 'localhost .siemens.net .siemens.com .siemens.de'
== Info: Trying 147.54.64.17:443...
== Info: TCP_NODELAY set
== Info: Connected to deblndw011x.ad001.siemens.net (147.54.64.17) port 443 (#0)
== Info: ALPN, offering h2
== Info: ALPN, offering http/1.1
Enter PEM pass phrase:
== Info: successfully set certificate verify locations:
== Info: CAfile: /usr/local/etc/ssl/cert.pem
CApath: none
=> Send SSL data, 5 bytes (0x5)
0000: .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: .......>4.p!.........+$...Ni..)..{.... .....e.#.4x.yh...3.."%..z
0040: ....B>t.>.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./.....u...". ...deblndw011x.ad001.siemens.net...............
00c0: .........3t.........h2.http/1.1.........1.....0.................
0100: ................................+............-.....3.&.$... .%5.
0140: .,..\uvY..@..Gq_.....C...(....................................
0180: ................................................................
01c0: ................................................................
<= Recv SSL data, 5 bytes (0x5)
0000: ....z
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 122 bytes (0x7a)
0000: ...v..T..r..&..5K..!pn....x@../|.J..]> .....e.#.4x.yh...3.."%..z
0040: ....B>t......+.....3.$... 1........6...D.<...B..?..x.qj..W
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 5 bytes (0x5)
0000: ....*
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
<= Recv SSL data, 25 bytes (0x19)
0000: .................http/1.1
<= Recv SSL data, 5 bytes (0x5)
0000: ....I
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 6200 bytes (0x1838)
0000: ...4...0...0...0..........L..k..&(6..zw.[Nf.m0....H........0..
0040: 1.0...U....DE1.0...U....Bayern1.0...U....Muenchen1.0...U....Siem
0080: ens1.0...U....ZZZZZZB71.0...U....Siemens Trust Center100...U...'
00c0: Siemens Issuing CA Intranet Server 20170...190228091513Z..200228
0100: 091513Z0]1.0...U....DE1.0...U....Siemens1.0...U....PD LD AP DW1&
0140: 0$..U....deblndw011x.ad001.siemens.net0.."0....H.............0.
...
17c0: .....'p..].q.....5r<.S..};.).i.#.......u|......e.M.#eH.d.6..gKm6
1800: .......5..7..W:..'R.a.:....yk..tsvLL.D...D.U.K....hQ.A..
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
<= Recv SSL data, 520 bytes (0x208)
0000: .........=u..t.5}...w].B..}.y[...Q..k.c=...]v...........|..^.IK.
0040: ..<.Z.lD...h).JU....-A....!]..E...sC.......f{H......AT..SB.Q=
0080: @|...<E.oTS.rQ..}.5T. .j.p"O@w.....1/..%.'.t..i.|.......Nk.g 00c0: Y..b...vB.......t.+l......7><...S....*fG..........?..,..(pE..... 0100: .l.K3.K.....-....4...7l]..,=..9....."..a...m;...&....2.......5 0140: 9f...TJ.Z.).s.u..d........._...w.........!E.<.k..a...Fy.<.u.l.i. 0180: ..r8C..3..9X.D..C.fu.....5w;...eWj($.LT6..^ =E.mN4_....B*N.(.... 01c0: .d=?!.qi)..X...;...o~6..JCS...'.XL...9...7o.0".Z<..4|gW....e.. 0200: I]p....; <= Recv SSL data, 5 bytes (0x5) 0000: ....E <= Recv SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (IN), TLS handshake, Finished (20): <= Recv SSL data, 52 bytes (0x34) 0000: ...0tr...x.R?0.K.s...d....V....4...>.....?..8...Ko.k => Send SSL data, 5 bytes (0x5) 0000: ..... == Info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): => Send SSL data, 1 bytes (0x1) 0000: . => Send SSL data, 5 bytes (0x5) 0000: ....E => Send SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (OUT), TLS handshake, Finished (20): => Send SSL data, 52 bytes (0x34) 0000: ...0..f...G2.y..O.?......p.(...........=FC....*Y.B.. == Info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 == Info: ALPN, server accepted to use http/1.1 == Info: Server certificate: == Info: subject: C=DE; O=Siemens; OU=PD LD AP DW; CN=deblndw011x.ad001.siemens.net == Info: start date: Feb 28 09:15:13 2019 GMT == Info: expire date: Feb 28 09:15:13 2020 GMT == Info: subjectAltName: host "deblndw011x.ad001.siemens.net" matched cert's "deblndw011x.ad001.siemens.net" == Info: issuer: C=DE; ST=Bayern; L=Muenchen; O=Siemens; serialNumber=ZZZZZZB7; OU=Siemens Trust Center; CN=Siemens Issuing CA Intranet Server 2017 == Info: SSL certificate verify ok. => Send SSL data, 5 bytes (0x5) 0000: ..... => Send SSL data, 1 bytes (0x1) 0000: . => Send header, 124 bytes (0x7c) 0000: HEAD /~osipovmi/tls-auth/phpinfo.php HTTP/1.1 002f: Host: deblndw011x.ad001.siemens.net 0054: User-Agent: curl/7.67.0 006d: Accept: */* 007a: <= Recv SSL data, 5 bytes (0x5) 0000: ....J <= Recv SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): <= Recv SSL data, 57 bytes (0x39) 0000: ...5...,.o{........... h.../..p..yb...?..q.1&h...;4+..... <= Recv SSL data, 5 bytes (0x5) 0000: ....J <= Recv SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): <= Recv SSL data, 57 bytes (0x39) 0000: ...5...,.............. ...RUI....u.)...iRFP.....W....&... == Info: old SSL session ID is stale, removing <= Recv SSL data, 5 bytes (0x5) 0000: ..... <= Recv SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (IN), TLS handshake, Request CERT (13): <= Recv SSL data, 1662 bytes (0x67e) 0000: ...z \.Ilh$..v.y.o.......U.....v..r...W...&.$................... 0040: ................../.).'..0..1.0...U....DE1.0...U....Bayern1.0... 0080: U....Muenchen1.0...U....Siemens1.0...U....ZZZZZZA21.0...U....Sie 00c0: mens Trust Center1(0&..U....Siemens Issuing CA EE Auth 2016..0.. 0100: 1.0...U....DE1.0...U....Bayern1.0...U....Muenchen1.0...U....Siem 0140: ens1.0...U....ZZZZZZA51.0...U....Siemens Trust Center1.0,..U...% 0180: Siemens Issuing CA Multi Purpose 2016..0..1.0...U....DE1.0...U.. 01c0: ..Bayern1.0...U....Muenchen1.0...U....Siemens1.0...U....ZZZZZZA7 0200: 1.0...U....Siemens Trust Center100...U...'Siemens Issuing CA Int 0240: ranet Server 2016..0..1.0...U....DE1.0...U....Bayern1.0...U....M 0280: uenchen1.0...U....Siemens1.0...U....ZZZZZZB71.0...U....Siemens T 02c0: rust Center100...U...'Siemens Issuing CA Intranet Server 2017..0 0300: ..1.0...U....DE1.0...U....Bayern1.0...U....Muenchen1.0...U....Si 0340: emens1.0...U....ZZZZZZB91.0...U....Siemens Trust Center100...U.. 0380: .'Siemens Issuing CA Internet Server 2017..0..1.0...U....DE1.0.. 03c0: .U....Bayern1.0...U....Muenchen1.0...U....Siemens1.0...U....ZZZZ 0400: ZZAD1.0...U....Siemens Trust Center1:08..U...1Siemens Issuing CA 0440: EE Network Smartcard Auth 2016..0..1.0...U....DE1.0...U....Baye 0480: rn1.0...U....Muenchen1.0...U....Siemens1.0...U....ZZZZZZAB1.0... 04c0: U....Siemens Trust Center1<0:..U...3Siemens Issuing CA MSA Imper 0500: sonalized Entities 2016..0..1.0...U....DE1.0...U....Bayern1.0... 0540: U....Muenchen1.0...U....Siemens1.0...U....ZZZZZZA61.0...U....Sie 0580: mens Trust Center1?0=..U...6Siemens Issuing CA Medium Strength A 05c0: uthentication 2016..0..1.0...U....DE1.0...U....Bayern1.0...U.... 0600: Muenchen1.0...U....Siemens1.0...U....ZZZZZZA91.0...U....Siemens 0640: Trust Center100...U...'Siemens Issuing CA Internet Server 2016 => Send SSL data, 5 bytes (0x5) 0000: ....P => Send SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (OUT), TLS handshake, Certificate (11): => Send SSL data, 6975 bytes (0x1b3f) 0000: ...; \.Ilh$..v.y.o.......U.....v..r........0...0..q.........m.0. 0040: ..*.H........0..1.0...U....DE1.0...U....Bayern1.0...U....Muenche 0080: n1.0...U....Siemens1.0...U....ZZZZZZA61.0...U....Siemens Trust C 00c0: enter1?0=..U...6Siemens Issuing CA Medium Strength Authenticatio 0100: n 20160...190604140534Z..200604140532Z0N1.0...U....Z003YJMC1.0.. ... 1b00:......|.^..SJ").H+>M.....Y.Xe..D.~}....L.>.qT..K.X..... => Send SSL data, 5 bytes (0x5) 0000: ..... => Send SSL data, 1 bytes (0x1) 0000: . == Info: TLSv1.3 (OUT), TLS handshake, CERT verify (15): => Send SSL data, 264 bytes (0x108) 0000: ........2!6......v.......O:..u.9.0.U.9...>@..9..)....#s..wx... 0040: C.R........UK.ky...\....sjupf|f%.h.!iHo.hn...}...L.....;Y 6G.. 0080: ......}.7..m.D...3..F.X............@..A.....|0..}......F&<l.b.a
00c0: i.w......s.1......u.@.(.-..{.2hn......+..aE=...?....mM./..BNC.
0100: 0i8....
=> Send SSL data, 5 bytes (0x5)
0000: ....E
=> Send SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 52 bytes (0x34)
0000: ...0:................;+..TR.'..K.F.8D.!ax..$.7....
<= Recv SSL data, 5 bytes (0x5)
0000: ....J
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
<= Recv SSL data, 57 bytes (0x39)
0000: ...5...,...6.......... 6~Kq9[..0.|3.1q.P8.&.m.....-vf....
== Info: old SSL session ID is stale, removing
<= Recv SSL data, 5 bytes (0x5)
0000: ....J
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
<= Recv SSL data, 57 bytes (0x39)
0000: ...5...,.QI........... ..6ph........@n.........G.%....j..
== Info: old SSL session ID is stale, removing
<= Recv SSL data, 5 bytes (0x5)
0000: .....
<= Recv SSL data, 1 bytes (0x1)
0000: .
== Info: Mark bundle as not supporting multiuse
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
HTTP/1.1 200 OK
<= Recv header, 37 bytes (0x25)
0000: Date: Fri, 24 Jan 2020 21:55:16 GMT
Date: Fri, 24 Jan 2020 21:55:16 GMT
<= Recv header, 100 bytes (0x64)
0000: Server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1d-freebsd PHP/7.2.2
0040: 6 SVN/1.10.6 mod_auth_gssapi/1.6.1
Server: Apache/2.4.41 (FreeBSD) OpenSSL/1.1.1d-freebsd PHP/7.2.26 SVN/1.10.6 mod_auth_gssapi/1.6.1
<= Recv header, 29 bytes (0x1d)
0000: X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
<= Recv header, 26 bytes (0x1a)
0000: X-Powered-By: PHP/7.2.26
X-Powered-By: PHP/7.2.26
<= Recv header, 40 bytes (0x28)
0000: Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<= Recv header, 2 bytes (0x2)
0000:
== Info: Connection #0 to host deblndw011x.ad001.siemens.net left intact

Note that both curl and mod_ssl use the same OpenSSL version from FreeBSD base.

Expected results:

PHA should have happened against Apache and it's mod_ssl.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: jjones
Version: 68 Branch → other

Might be the same as Bug 1601402?

Talking to kjacobs, we have tests for this, but maybe they're missing a case

See Also: → 1601402

The priority flag is not set for this bug.
:jcj, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jjones)

Kevin, please look at this next week after the 3.51 RTM

Flags: needinfo?(jjones) → needinfo?(kjacobs.bugzilla)

Unfortunately I haven't been able to reproduce this. I've set up a CA and configured Apache and Firefox with issued server and client certs, and am able to connect successfully with Fx after selecting the appropriate cert. Note, however, that I'm having some issues getting Apache to do PHA reliably. If you could provide an archive with your configs, that would be helpful.

I've also configured an NSS database with the same CA, server, and client certs, for use with the selfserv and tstclnt utilities. Everything here appears correct:

NSS (s) <-> NSS (c):

Server: ../dist/Debug/bin/selfserv -d . -p 4433 -V tls1.3: -H 1 -n server -u -rrrr -E -v
Client: ../dist/Debug/bin/tstclnt -h 127.0.0.1 -d . -E -n "Test User - Test" -p 4433 -v -A tests/ssl/sslreq.dat
Results:
selfserv: About to call accept.
selfserv: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
selfserv: Server Auth: 4096-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3
          Compression: NULL, Extended Master Secret: Yes
selfserv: Subject: E=test@test.com,CN=Test User,OU=Test,O=Test,L=Hillsboro,ST=Oregon,C=US
selfserv: Issuer : E=test,CN=test,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
selfserv: -- SSL3: Certificate Validated.
...
tstclnt: Server Auth: 4096-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3
         Compression: NULL, Extended Master Secret: Yes
         Signature Scheme: rsa_pss_rsae_sha256
subject DN: E=test@test.com,CN=127.0.0.1,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
issuer  DN: E=test,CN=test,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
Received 0 Cert Status items (OCSP stapled data)
tstclnt: PR_Poll returned with writable socket !
tstclnt: 18 bytes written
tstclnt: Read from server -1 bytes.
tstclnt: stdin read 0 bytes
tstclnt: PR_Poll returned!
Server requested Client Authentication
CA[1]: O=Example CA
CA[2]: E=test,CN=test,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
CA[3]: E=test@test.com,CN=127.0.0.1,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
sent cert: E=test@test.com,CN=Test User,OU=Test,O=Test,L=Hillsboro,ST=Oregon,C=US
tstclnt: Read from server -1 bytes
tstclnt: PR_Poll returned!
tstclnt: Read from server 137 bytes
HTTP/1.0 200 OK
Server: Generic Web Server
tstclnt: PR_Poll returned!
tstclnt: Read from server 0 bytes
tstclnt: exiting with return code 0
...

NSS (s) <-> OpenSSL (c):

Server: ../dist/Debug/bin/selfserv -d . -p 4433 -V tls1.3: -H 1 -n server -u -rrrr -E -v
Client: openssl s_client -connect 127.0.0.1:4433 -CAfile ../ca.cer  -cert ../client.cer  -key ../client.key  -enable_pha -state (and a request)

selfserv: About to call accept.
selfserv: SSL version 3.4 using 128-bit AES-GCM with 128-bit AEAD MAC
selfserv: Server Auth: 4096-bit TLS 1.3, Key Exchange: 255-bit TLS 1.3
          Compression: NULL, Extended Master Secret: Yes
selfserv: Subject: E=test@test.com,CN=Test User,OU=Test,O=Test,L=Hillsboro,ST=Oregon,C=US
selfserv: Issuer : E=test,CN=test,OU=test,O=Test,L=Hillsboro,ST=Oregon,C=US
selfserv: -- SSL3: Certificate Validated
...

CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
depth=1 C = US, ST = Oregon, L = Hillsboro, O = Test, OU = test, CN = test, emailAddress = test
verify return:1
depth=0 C = US, ST = Oregon, L = Hillsboro, O = Test, OU = test, CN = 127.0.0.1, emailAddress = test@test.com
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
...
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
...
SSL_connect:SSLv3/TLS read server session ticket
read R BLOCK
GET / HTTP/1.0

SSL_connect:SSL negotiation finished successfully
SSL_connect:SSL negotiation finished successfully
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write finished
read R BLOCK
HTTP/1.0 200 OK
Server: Generic Web Server
Date: Tue, 26 Aug 1997 22:10:05 GMT
Content-type: text/plain
GET / HTTP/1.0

EOF
SSL3 alert read:warning:close notify
closed
SSL3 alert write:warning:close notify

OpenSSL (s) <-> NSS (c):

Server: openssl s_server -accept 44333 -cert ../server.cer -key ../server.key -verify 3 -CAfile ../ca.cer -state (followed by 'c' command after client connects)
Client: ../dist/Debug/bin/tstclnt -h 127.0.0.1 -d . -E -n "Test User - Test" -p 44333 -v

Server output:
c
SSL_accept:SSL negotiation finished successfully
SSL_accept:SSLv3/TLS write certificate request
SSL_do_handshake -> 1
SSL_accept:SSL negotiation finished successfully
SSL_accept:SSL negotiation finished successfully
depth=1 C = US, ST = Oregon, L = Hillsboro, O = Test, OU = test, CN = test, emailAddress = test
verify return:1
depth=0 C = US, ST = Oregon, L = Hillsboro, O = Test, OU = Test, CN = Test User, emailAddress = test@test.com
verify return:1
SSL_accept:SSLv3/TLS read client certificate
SSL_accept:SSLv3/TLS read certificate verify
SSL_accept:SSLv3/TLS read finished
SSL_accept:SSLv3/TLS write session ticket
SSL_accept:SSLv3/TLS write session ticket
Read BLOCK

FWIW, you could also use p12util to import your client cert and attempt connection from tstclnt, as above.

Flags: needinfo?(kjacobs.bugzilla)

A (decrypted) packet capture might also be helpful.

With a debug build from mozilla-central (for example, this one), you can set the SSLKEYLOGFILE environment variable and use that file with Wireshark to decrypt the PHA part of the handshake.

(In reply to Kevin Jacobs [:kjacobs] from comment #5)

A (decrypted) packet capture might also be helpful.

With a debug build from mozilla-central (for example, this one), you can set the SSLKEYLOGFILE environment variable and use that file with Wireshark to decrypt the PHA part of the handshake.

I will try to provide the requested information. Do you want client side logs only or Apache logs too? If yes, at with level or component?

(In reply to Michael Osipov from comment #6)

(In reply to Kevin Jacobs [:kjacobs] from comment #5)

A (decrypted) packet capture might also be helpful.

With a debug build from mozilla-central (for example, this one), you can set the SSLKEYLOGFILE environment variable and use that file with Wireshark to decrypt the PHA part of the handshake.

I will try to provide the requested information. Do you want client side logs only or Apache logs too? If yes, at with level or component?

The decrypted PCAP would be most useful, followed by an archive of example Apache configs that trigger the issue (and it may turn out that both are needed). Thanks.

Assignee: nobody → kjacobs.bugzilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2

OK, let's start with configuration first:

  • Running HTTTPd 2.4.41 with OpenSSL 1.1.1e-freebsd

vhosts.conf:

<VirtualHost *:443>
ServerAdmin ...
ServerName deblndw011x.ad001.siemens.net:443
DocumentRoot /usr/local/www/apache24/data
ErrorLog "/var/log/apache/deblndw011x-ssl-errors.log"
CustomLog "/var/log/apache/deblndw011x-ssl-access.log" common

Header always append X-Frame-Options SAMEORIGIN
LimitRequestFieldSize 32768

AllowEncodedSlashes On

SSLEngine On
SSLCertificateFile /etc/ssl/deblndw011x.ad001.siemens.net/cert.pem
SSLCertificateKeyFile /etc/ssl/deblndw011x.ad001.siemens.net/key.pem
SSLCACertificateFile /usr/local/etc/ssl/cert.pem
SSLCADNRequestFile /usr/local/etc/ssl/ca-trust/siemens-clientauth-certs.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars +ExportCertData
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

Include "etc/apache24/extra/httpd-userdir.conf"

</VirtualHost>

userdir.conf:

<Directory "/net/home/*/public_html">
AllowOverride FileInfo AuthConfig Limit Indexes
IndexOptions +Charset=UTF-8
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require all granted
</Directory>

osipovmi@deblndw011x:~/public_html/tls-auth
$ tree -a
.
├── .htaccess
└── phpinfo.php

0 directories, 2 files

osipovmi@deblndw011x:~/public_html/tls-auth
$ less .htaccess
SSLVerifyClient require
SSLVerifyDepth 3
SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0
Require valid-user

Decrypted output will follow

OK, I now have the decrypted traffic from Firefox saved as PDU-formatted pcap file. Shall I attach it here, or is it something which should be saved privately?

Either will work. If you prefer to err on the side of caution, you're welcome to email it to me.

The PCAP will (minimally) contain IP addresses and the decrypted client and server certs. Possibly other traffic if application data was sent or other traffic included in the capture.

Attached file firefox-pha-pdu.pcap (obsolete) —

Here is the decrypted comm as reduced layer 4 PDUs.

Could you also attach the key file for decryption? Thanks.

Attached file my-keylog.txt.1 (obsolete) —

(In reply to Kevin Jacobs [:kjacobs] from comment #12)

Could you also attach the key file for decryption? Thanks.

My bad, here it is.

Thanks. The PCAP looks normal, but I notice there's no PHA extension in the CH. Perhaps it was not enabled in Firefox?

Attached file firefox-pha3-pdu.pcap

(In reply to Kevin Jacobs [:kjacobs] from comment #14)

Thanks. The PCAP looks normal, but I notice there's no PHA extension in the CH. Perhaps it was not enabled in Firefox?

Please find a new file attached. As soon as NSS reads my smartcard Firefox crashes with:

SSL: logging SSL/TLS secrets to C:\Temp\keylog.txt
[Parent 15540, Main Thread] WARNING: This method is lossy. Use GetCanonicalPath !: file /builds/worker/checkouts/gecko/xpcom/io/nsLocalFileWin.cpp, line 3166
[Parent 15540, Main Thread] WARNING: This method is lossy. Use GetCanonicalPath !: file /builds/worker/checkouts/gecko/xpcom/io/nsLocalFileWin.cpp, line 3166
[Parent 15540, Main Thread] WARNING: This method is lossy. Use GetCanonicalPath !: file /builds/worker/checkouts/gecko/xpcom/io/nsLocalFileWin.cpp, line 3166
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /builds/worker/checkouts/gecko/netwerk/cache/nsCacheService.cpp, line 154
[Parent 15540, Main Thread] WARNING: '!mInitSucceeded', file /builds/worker/checkouts/gecko/editor/libeditor/TextEditSubActionHandler.cpp, line 102
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /builds/worker/checkouts/gecko/dom/base/ThirdPartyUtil.cpp, line 403
[Parent 15540, Main Thread] WARNING: '!parent', file /builds/worker/checkouts/gecko/netwerk/ipc/NeckoParent.cpp, line 974
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x804B001F: file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp, line 5859
[Parent 15540, IPDL Background] WARNING: NextRequestSerialNumber doesn't match!: 'aLoggingInfo.nextRequestSerialNumber() == loggingInfo->mLoggingInfo.nextRequestSerialNumber()', file /builds/worker/checkouts/gecko/dom/indexedDB/ActorsParent.cpp, line 13449
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040111: file /builds/worker/checkouts/gecko/netwerk/cache/nsCacheService.cpp, line 855
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040111: file /builds/worker/checkouts/gecko/netwerk/cache/nsCacheService.cpp, line 818
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040111: file /builds/worker/checkouts/gecko/netwerk/cache/nsApplicationCacheService.cpp, line 161
[Parent 15540, Main Thread] WARNING: Failed to get base domain!: file /builds/worker/checkouts/gecko/ipc/glue/BackgroundUtils.cpp, line 353
[2020-03-24T07:50:54Z WARN rkv::backend::impl_safe::environment] Ignoring map_size=16777216
[Parent 15540, Main Thread] WARNING: Need BrowserChild to get the nativeWindow from!: file /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp, line 1095
[Parent 15540, Main Thread] WARNING: Need BrowserChild to get the nativeWindow from!: file /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp, line 1095
[Parent 15540, Main Thread] WARNING: Need BrowserChild to get the nativeWindow from!: file /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp, line 1095
[Parent 15540, Main Thread] WARNING: Need BrowserChild to get the nativeWindow from!: file /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp, line 1095
[Parent 15540, Main Thread] WARNING: Need BrowserChild to get the nativeWindow from!: file /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp, line 1095
[Parent 15540, Main Thread] WARNING: '!parent', file /builds/worker/checkouts/gecko/netwerk/ipc/NeckoParent.cpp, line 974
[Parent 15540, IPDL Background] WARNING: NextRequestSerialNumber doesn't match!: 'aLoggingInfo.nextRequestSerialNumber() == loggingInfo->mLoggingInfo.nextRequestSerialNumber()', file /builds/worker/checkouts/gecko/dom/indexedDB/ActorsParent.cpp, line 13449
[Parent 15540, Main Thread] WARNING: NS_ENSURE_TRUE(root) failed: file /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp, line 3150
[Parent 15540, Main Thread] WARNING: '!mInitSucceeded', file /builds/worker/checkouts/gecko/editor/libeditor/TextEditSubActionHandler.cpp, line 102
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x804B001F: file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp, line 5859
[Parent 15540, Main Thread] WARNING: '!mInitSucceeded', file /builds/worker/checkouts/gecko/editor/libeditor/TextEditSubActionHandler.cpp, line 102
[Parent 15540, Main Thread] WARNING: '!mName', file /builds/worker/checkouts/gecko/editor/libeditor/EditAggregateTransaction.cpp, line 91
[Parent 15540, Main Thread] WARNING: EditAggregationTransaction::GetName() failed: 'NS_SUCCEEDED(rv)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 217
[Parent 15540, Main Thread] WARNING: nsIAbsorbingTransaction::GetTxnName() failed, but ignored: 'NS_SUCCEEDED(rvIgnored)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 188
[Parent 15540, Main Thread] WARNING: '!parent', file /builds/worker/checkouts/gecko/netwerk/ipc/NeckoParent.cpp, line 974
PS C:\Users\osipovmi\Desktop\firefox> [Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x804B001F: file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp, line 5859
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x804B001F: file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp, line 5859
[Parent 15540, Main Thread] WARNING: '!mName', file /builds/worker/checkouts/gecko/editor/libeditor/EditAggregateTransaction.cpp, line 91
[Parent 15540, Main Thread] WARNING: EditAggregationTransaction::GetName() failed: 'NS_SUCCEEDED(rv)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 217
[Parent 15540, Main Thread] WARNING: nsIAbsorbingTransaction::GetTxnName() failed, but ignored: 'NS_SUCCEEDED(rvIgnored)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 188
[Parent 15540, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x804B001F: file /builds/worker/checkouts/gecko/netwerk/protocol/http/nsHttpChannel.cpp, line 5859
[Parent 15540, Main Thread] WARNING: '!mName', file /builds/worker/checkouts/gecko/editor/libeditor/EditAggregateTransaction.cpp, line 91
[Parent 15540, Main Thread] WARNING: EditAggregationTransaction::GetName() failed: 'NS_SUCCEEDED(rv)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 217
[Parent 15540, Main Thread] WARNING: nsIAbsorbingTransaction::GetTxnName() failed, but ignored: 'NS_SUCCEEDED(rvIgnored)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 188
[Parent 15540, Main Thread] WARNING: '!mName', file /builds/worker/checkouts/gecko/editor/libeditor/EditAggregateTransaction.cpp, line 91
[Parent 15540, Main Thread] WARNING: EditAggregationTransaction::GetName() failed: 'NS_SUCCEEDED(rv)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 217
[Parent 15540, Main Thread] WARNING: nsIAbsorbingTransaction::GetTxnName() failed, but ignored: 'NS_SUCCEEDED(rvIgnored)', file /builds/worker/checkouts/gecko/editor/libeditor/PlaceholderTransaction.cpp, line 188
[Parent 15540, Main Thread] WARNING: NS_ENSURE_TRUE(root) failed: file /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp, line 3150
[Parent 15540, Main Thread] WARNING: '!mInitSucceeded', file /builds/worker/checkouts/gecko/editor/libeditor/TextEditSubActionHandler.cpp, line 102
[Parent 15540, Main Thread] WARNING: NS_ENSURE_TRUE(root) failed: file /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp, line 3150
[Parent 15540, Main Thread] WARNING: '!mInitSucceeded', file /builds/worker/checkouts/gecko/editor/libeditor/TextEditSubActionHandler.cpp, line 102
Assertion failure: desc != internal_error, at /builds/worker/checkouts/gecko/security/nss/lib/ssl/tls13con.c:152

Attachment #9135106 - Attachment is obsolete: true
Attached file keylog.txt
Attachment #9135117 - Attachment is obsolete: true

With my Apache config issues resolved, PHA works as expected between Apache 2.4.29/OpenSSL 1.1.1 and Firefox 76 Nightly.

Since I could only test with an NSS-stored client certificate, can you post any details what smart card you're using (the make and model, at least)?

(In reply to Kevin Jacobs [:kjacobs] from comment #17)

With my Apache config issues resolved, PHA works as expected between Apache 2.4.29/OpenSSL 1.1.1 and Firefox 76 Nightly.

Since I could only test with an NSS-stored client certificate, can you post any details what smart card you're using (the make and model, at least)?

OK, I have now also tried another identity from a PKCS#12 file. This one works flawlessly with NSS against HTTPd with PHA. I will attach this pcap soon.

Smartcard configuration:

  • Two type of readers: external (OMNIKEY CardMan 3x31), internal (Alcor Micro USB) builtin Lenovo X390
  • Smartcard says version 4.2C
  • Running CardOS API 5.5 by Atos IT
  • Loaded into NSS via cardos11_64.dll, version 2.21.4.0
  • When logged in via NSS, it says: Siemens Corporate ID Card, hardware version 102.62, firmware version 200.11

Note that Firefox 68.6.0esr simply delivers an error with the smartcard. The nightly crashes.

Performed PHA with soft certificate

Attached file soft-keylog.txt

So, I was mistaken in thinking that the SSLKEYLOGFILE variable required a debug build of Firefox (sorry about that). Could you try getting a decrypted PCAP from ESR?

The crash in the debug build is an assertion and may or may not be interesting, but I don't see any obvious triggers along the certificate request path.

(In reply to Kevin Jacobs [:kjacobs] from comment #21)

So, I was mistaken in thinking that the SSLKEYLOGFILE variable required a debug build of Firefox (sorry about that). Could you try getting a decrypted PCAP from ESR?

I will provide the PCAP file from ESR later this day.

Attached file firefox-esr-keylog.txt

Thanks. Can you now post the hex dumps (from --trace output) of the PHA CertificateRequest and CertificateVerify messages from the working curl example?

Attached file curl-soft.trace

Here it is. Please note that this has been procuded with a p12 file, not my smartcard. Since my Windows 10 version does not support TLS 1.3 with Schannel, I have produced the curl output with

curl 7.68.0 (amd64-portbld-freebsd12.1) libcurl/7.68.0 OpenSSL/1.1.1e zlib/1.2.11 c-ares/1.15.0 nghttp2/1.40.0

Hope this helps.

If you need the pcap dump from curl, I can provide this easily since curl supports SSLKEYLOGFILE too.

Ah! I thought curl was also using the smartcard. Since it's not, I believe this is bug 1588941.

The Firefox PHA itself is confirmed interoperable when using the .p12 file.

Unless you disagree, I'll close this and mark duplicate of 1588941.

(In reply to Kevin Jacobs [:kjacobs] from comment #28)

Ah! I thought curl was also using the smartcard. Since it's not, I believe this is bug 1588941.

The Firefox PHA itself is confirmed interoperable when using the .p12 file.

Unless you disagree, I'll close this and mark duplicate of 1588941.

Just read the mentioned bug. To be honest, I don't know wether it is a duplicate or not. My expertise in that area ends at some point. Firefox should crash at least.

I'd like to give it a shot with OpenSSL and curl, but I need to figure out how to jiggle with OpenSC and OpenSSL to access my smartcard. Give me a couple of days for this.

I made some progress, I was able to load the CAPI engine in OpenSSL on Windows. But beat me, it neither want to verify CAs nor pop for my smartcard:

s_client -connect deblndw011x.ad001.siemens.net:443 -enable_pha -engine capi -msg -ign_eof
s_client -connect deblndw011x.ad001.siemens.net:443 -engine capi -showcerts

I am trapped in this situation: https://stackoverflow.com/q/54418779/696632

Just a couple other ideas for testing this... Is there any chance you could create an EC cert (instead of RSA) on the smart card and test with that?

Even if the server won't trust it, the debug build may not crash on the assertion and/or a PCAP may show the Cert+CertVerify being sent from the client. Both would confirm that this is likely the same PSS issue.

An alternative might be to disable TLS 1.3 on the server, then tweak SSLOpenSSLConfCmd ClientSignatureAlgorithms ... to try smart card client auth with only rsa_pkcs1 (non-PSS), then only rsa_pss schemes.

(In reply to Kevin Jacobs [:kjacobs] from comment #31)

Just a couple other ideas for testing this... Is there any chance you could create an EC cert (instead of RSA) on the smart card and test with that?

Absolutely not. My enterprise is too large for a peasant like to me to have a chance to change something like this.

Even if the server won't trust it, the debug build may not crash on the assertion and/or a PCAP may show the Cert+CertVerify being sent from the client. Both would confirm that this is likely the same PSS issue.

An alternative might be to disable TLS 1.3 on the server, then tweak SSLOpenSSLConfCmd ClientSignatureAlgorithms ... to try smart card client auth with only rsa_pkcs1 (non-PSS), then only rsa_pss schemes.

Disabling TLS 1.3 works, but that is not what I am after ;-) I need to see whether I can tweak sigalgs with TLS 1.3 and let you know next week.

rsa_pkcs1 schemes are not supported in TLS 1.3, so the ClientSignatureAlgorithms suggestion was to enable only PSS schemes on TLS 1.2 (which, if it fails as I expect, confirms that this is all caused by the smart card not supporting PSS).

If that does work, let me know. Otherwise I'll mark this duplicate of bug 1588941.

(In reply to Kevin Jacobs [:kjacobs] from comment #33)

rsa_pkcs1 schemes are not supported in TLS 1.3, so the ClientSignatureAlgorithms suggestion was to enable only PSS schemes on TLS 1.2 (which, if it fails as I expect, confirms that this is all caused by the smart card not supporting PSS).

Let me stress out that renogotiation with TLS 1.2 and smartcards works flawlessly. As soon as I set security.tls.version.max to 3, it works.

If that does work, let me know. Otherwise I'll mark this duplicate of bug 1588941.

I think, we should close this as a dup of the mentioned one b/c I am out of options for the moment. I will continue to watch 1588941.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Summary: TLS 1.3 post-handshake authentication still does not work → TLS 1.3 post-handshake authentication still does not work when smartcard does not support RSA-PSS
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: