Closed Bug 161297 Opened 23 years ago Closed 22 years ago

not all certs listed as choices to validate with a web site

Categories

(Core Graveyard :: Security: UI, defect, P3)

1.0 Branch
x86
Windows 2000
defect

Tracking

(Not tracked)

VERIFIED INVALID

People

(Reporter: kevin.mitcham, Assigned: KaiE)

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020721 BuildID: 2002072104 I have about 10 certs in my certStore, but when I go to a https site, I only get 1 cert in the list of certs to pick to present to the site. Unfortunately, it isn't the right one. If I delete all the other certs, I auto-fail. The same cert always appears in the dropdown list; if I delete it, I get no choices and auto-fail Reproducible: Always Steps to Reproduce: 1.Have more than one cert 2.Set the browser to not auto-select the cert 3. When going to a cert-selecting page, try to select the cert. Expected Results: The full list of certs appears; I select the appropriate one.
If I save, delete then re-import the certs, sometimes I can get them all to appear. Not really sure what the dependency is on at this point.
Security General = Security Holes only ! (please read the component description) -> PSM
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → unspecified
Are you sure all your certs are valid? When you open cert manager, what does the verified column say for your certs? Is it showing, too, that only one of your certs is verified? Are you sure all your certs are usable with the server? Are your certs from different CAs? When a server asks the browser for client authentication, it usually sends a list of allowed client certs, and only matching ones will be shown in the dialog.
------- Additional Comments From kaie@netscape.com 2002-08-06 13:23 ------- Are you sure all your certs are valid? Yes. When you open cert manager, what does the verified column say for your certs? Is it showing, too, that only one of your certs is verified? All certs have 'verified = true' Are you sure all your certs are usable with the server? Are your certs from different CAs? All the certs are from the same CA, and should be functionally identical. When a server asks the browser for client authentication, it usually sends a list of allowed client certs, and only matching ones will be shown in the dialog. After getting an additional new Cert, or re-importing the certs, I can (sometimes) get the full list to appear. It doesn't seem to be 100%, though.
John, are you able to reproduce the problem? Kevin, can you try to create new profile for testing purposes, and import your certs there? Do you see the same behaviour?
I have lots of personal certs, but when using client auth for Netscape's mail, the only certs presented as a choice include "John Unruh" or "America Online Inc ID" as part of the cert. The other certs are not available as choices. When I use client auth at the in-house server lab212sun.mcom.com that requires client auth, the only certs presented are the ones that include "lab212 ID" in the cert. This looks like the preferred behavior, where personal certs that don't seem to have anything to do with the client auth server are not listed as a choice.
Assignee: ssaux → kaie
Kai. I'm not sure that's the way it should work.
There's no way to know if the cert selection dialog is workign correctly or not without a) the ssltap output, and b) a printout or other listing of all the user's certs, including the issuer DNs for each and every cert. When an SSL server requests a client cert, the server sends a list of issuer names to the client. It says, in effect, only send me a client cert that was issued by one of the issuers in this list. If the user has "ask every time" set, the proper behavior of the client, is to present the user with a list of all certs issued by the issuers in the list from the server, that are not expired or otherwise invalid. It may be that the user desires to present a cert that is NOT issued by any of the issuers in the server's list of trusted issuers, but that would violate the protocol. The implication of this bug report is that the user believes that he has more than one cert issued by the isssers named by the server, that are currently valid, but that some of the certs issued by those named issuers are being excluded from the list in the selction dialog. If the user can document this clain by showing the list of trusted issuers that is sent by the server in the cert request, and show that he has multiple valid certs from those issuers, then this bug is confirmed. Otherwise, it is invalid.
------- Additional Comments From nelsonb@netscape.com 2002-08-06 20:27 ------- There's no way to know if the cert selection dialog is workign correctly or not without a) the ssltap output, and b) a printout or other listing of all the user's certs, including the issuer DNs for each and every cert. I'm afraid I don't know how to get (a), but as to (b), all my certs are from the same source (identical issuer DNs). Sometimes they all get listed, sometimes they don't. Generally, if I delete/export them, they all get listed. If you want to give me guidance, I'm happy to provide more technical info. I couldn't find any info on getting ssltap output in help, and nothing under the debug menu looked correct.
The cert selection list always works for me. Reporter, from comment #1, it appears likely that you have a corrupted cert DB. Can you try setting up a new profile, importing all of your certs, set cert selection to Always Ask, and try it again?
Marking invalid. I cannot reproduce, and there are no similar bugs reported.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Priority: -- → P3
Resolution: --- → INVALID
Version: unspecified → 2.4
V
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.