Closed
Bug 161297
Opened 23 years ago
Closed 22 years ago
not all certs listed as choices to validate with a web site
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: kevin.mitcham, Assigned: KaiE)
Details
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020721
BuildID: 2002072104
I have about 10 certs in my certStore, but when I go to a https site, I only get
1 cert in the list of certs to pick to present to the site. Unfortunately, it
isn't the right one.
If I delete all the other certs, I auto-fail. The same cert always appears in
the dropdown list; if I delete it, I get no choices and auto-fail
Reproducible: Always
Steps to Reproduce:
1.Have more than one cert
2.Set the browser to not auto-select the cert
3. When going to a cert-selecting page, try to select the cert.
Expected Results: The full list of certs appears; I select the appropriate one.
Reporter | ||
Comment 1•23 years ago
|
||
If I save, delete then re-import the certs, sometimes I can get them all to appear.
Not really sure what the dependency is on at this point.
Comment 2•23 years ago
|
||
Security General = Security Holes only ! (please read the component description)
-> PSM
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: other → unspecified
Assignee | ||
Comment 3•23 years ago
|
||
Are you sure all your certs are valid?
When you open cert manager, what does the verified column say for your certs? Is
it showing, too, that only one of your certs is verified?
Are you sure all your certs are usable with the server? Are your certs from
different CAs? When a server asks the browser for client authentication, it
usually sends a list of allowed client certs, and only matching ones will be
shown in the dialog.
Reporter | ||
Comment 4•23 years ago
|
||
------- Additional Comments From kaie@netscape.com 2002-08-06 13:23 -------
Are you sure all your certs are valid?
Yes.
When you open cert manager, what does the verified column say for your certs? Is
it showing, too, that only one of your certs is verified?
All certs have 'verified = true'
Are you sure all your certs are usable with the server? Are your certs from
different CAs? All the certs are from the same CA, and should be functionally
identical.
When a server asks the browser for client authentication, it
usually sends a list of allowed client certs, and only matching ones will be
shown in the dialog.
After getting an additional new Cert, or re-importing the certs, I can
(sometimes) get the full list to appear. It doesn't seem to be 100%, though.
Assignee | ||
Comment 5•23 years ago
|
||
John, are you able to reproduce the problem?
Kevin, can you try to create new profile for testing purposes, and import your
certs there? Do you see the same behaviour?
Comment 6•23 years ago
|
||
I have lots of personal certs, but when using client auth for Netscape's mail,
the only certs presented as a choice include "John Unruh" or "America Online
Inc ID" as part of the cert. The other certs are not available as choices.
When I use client auth at the in-house server lab212sun.mcom.com that requires
client auth, the only certs presented are the ones that include "lab212 ID" in
the cert. This looks like the preferred behavior, where personal certs that
don't seem to have anything to do with the client auth server are not listed as
a choice.
Updated•23 years ago
|
Assignee: ssaux → kaie
Comment 7•23 years ago
|
||
Kai.
I'm not sure that's the way it should work.
Comment 8•23 years ago
|
||
There's no way to know if the cert selection dialog is workign correctly or not
without
a) the ssltap output, and
b) a printout or other listing of all the user's certs, including the issuer DNs
for each and every cert.
When an SSL server requests a client cert, the server sends a list of issuer
names to the client. It says, in effect, only send me a client cert that was
issued by one of the issuers in this list. If the user has "ask every time"
set, the proper behavior of the client, is to present the user with a list of
all certs issued by the issuers in the list from the server, that are not
expired or otherwise invalid.
It may be that the user desires to present a cert that is NOT issued by any of
the issuers in the server's list of trusted issuers, but that would violate
the protocol.
The implication of this bug report is that the user believes that he has more
than one cert issued by the isssers named by the server, that are currently
valid, but that some of the certs issued by those named issuers are being
excluded from the list in the selction dialog. If the user can document this
clain by showing the list of trusted issuers that is sent by the server in the
cert request, and show that he has multiple valid certs from those issuers,
then this bug is confirmed. Otherwise, it is invalid.
Reporter | ||
Comment 9•23 years ago
|
||
------- Additional Comments From nelsonb@netscape.com 2002-08-06 20:27 -------
There's no way to know if the cert selection dialog is workign correctly or not
without
a) the ssltap output, and
b) a printout or other listing of all the user's certs, including the issuer DNs
for each and every cert.
I'm afraid I don't know how to get (a), but as to (b), all my certs are from the
same source (identical issuer DNs). Sometimes they all get listed, sometimes
they don't. Generally, if I delete/export them, they all get listed.
If you want to give me guidance, I'm happy to provide more technical info. I
couldn't find any info on getting ssltap output in help, and nothing under the
debug menu looked correct.
Comment 10•23 years ago
|
||
The cert selection list always works for me. Reporter, from comment #1, it
appears likely that you have a corrupted cert DB. Can you try setting up a new
profile, importing all of your certs, set cert selection to Always Ask, and try
it again?
Comment 11•22 years ago
|
||
Marking invalid. I cannot reproduce, and there are no similar bugs reported.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Priority: -- → P3
Resolution: --- → INVALID
Version: unspecified → 2.4
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•