Closed Bug 1625147 Opened 6 years ago Closed 6 years ago

Client Cert: "Remember this decision" is still applied even when the option is deselected

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mcurtean, Unassigned)

Details

Attachments

(3 files)

Loading Ec certificate on MAC.pcapng
139.96 KB, application/octet-stream
Details
Capture of TLS1.3 on Windows.pcapng
298.07 KB, application/octet-stream
Details
tls-key.log
798.15 KB, application/octet-stream
Details

[Affected versions]:
FF 74.0 (20200309095159)
FF 75.0b8 (20200325013053)
FF 76.0a1 (20200324093140)

[Affected platforms]:
Windows 10 64-bit
macOS 10.15
macOS 10.14

[Prerequisites]
Follow the steps to test osclientcerts on Windows: https://docs.google.com/document/d/1QdygRHFS973gegmzcnLLl2wE3uhqdEhjfHrfM3dXj9A

[Steps to reproduce]:

  1. After connecting to TLS server and entering, in FF browser, the specific address (Ex: https://localhost:4433” (for TLS 1.2) or “https://localhost:4444” (TLS 1.3)) the “User Identification Request” dialog appears.
  2. Deselect the "Remember this decision" checkbox and click OK.
  3. The page loads and includes some details about a “Client certificate” near the bottom.
  4. Refresh page or open a new tab and enter the same address.

[Expected results]:
When loading certificate on another tab or refreshing the page when the decision to trust the requests has not been saved, the “User Identification Request” dialog should appear.

[Actual results]:
When loading certificate on another tab or refreshing the session “User Identification Request” dialog does not appear and instead the same page is loaded.

Notes:
Since we're expecting the "remember this decision" to be saved (#1620110) and applied the reverse should also hold true.

If you use wireshark to look at the packets on the wire, does the server send a "certificate request" message after the first connection? (it may be that the server is using session resumption, in which case it might not be doing a full handshake each time and it may not be asking for a client certificate each time)

Flags: needinfo?(mcurtean)

It does not look like such a message is sent but I've attached the capture made on macOS (with TLS1.3 running on linux VM) and filtered the requests for a better viewing.
Steps performed while taking the capture were: loading of the user Identificationrequest modal and deselecting the "remember this decision" checkbox and and clicking ok. After the page with the certificate details was loaded I refreshed it loaded the same address in a new tab.

Flags: needinfo?(mcurtean)

Can you set the environment variable SSLKEYLOGFILE to some file path you can log keys to, run Firefox, and collect a packet trace again? I think in TLS 1.3 the client certificate exchange is encrypted.

Flags: needinfo?(mcurtean)

On Mac I could not find an uncomplicated way of adding an environment variable so I tried reproducing this on windows by running TLs1.3 on a linux VM. Unfortunately Wireshark would not pick up the requests so in the end I resorted to running TLS 1.3 from the windows terminal.
Attached is the capture filtered by the IP.

Flags: needinfo?(mcurtean)

Can you upload the key log as well?

Flags: needinfo?(mcurtean)
Attached file tls-key.log
Flags: needinfo?(mcurtean)

The priority flag is not set for this bug.
:keeler, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)

As far as I can tell, the server isn't requesting a client certificate in that packet trace, so I think this is the expected behavior.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: