rework bug 1658042 to avoid CryptFindCertificateKeyProvInfo
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | unaffected |
firefox80 | --- | unaffected |
firefox81 | --- | disabled |
firefox82 | --- | disabled |
firefox83 | --- | fixed |
People
(Reporter: ivivanov.bg, Assigned: keeler)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, Whiteboard: [psm-assigned])
Crash Data
Attachments
(1 file)
Since the landing of Bug 1658042 - the SSL client authentication is no longer possible in FF.
The browser just hangs and constantly reloads the page.
Tried with 2 different certs having:
public key: RSA 2048, Signature Algorithm: SHA-256 with RSA Encryption v3
public key: RSA 1024 bit, Signature Algorithm: SHA-1 with RSA Encryption v3
Also clicking the 'View Certificates' button in about:preferences#privacy causes the main window to hang, but several seconds later the Certificate Manager dialog opens.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Set release status flags based on info from the regressing bug 1658042
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Can you use https://profiler.firefox.com/ to get a profile of the hang when you click the "view certificates" button? Thanks!
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Comment 3•4 years ago
|
||
Here is the result
https://share.firefox.dev/2Fob600
(Sorry for the late response)
Reporter | ||
Comment 4•4 years ago
|
||
I would be really glad if someone explains what this report actually shows.
I saw that the UI thread is waiting to be notified (NtWaitForAlertByThreadId)
But how can I find which thread is supposed to send the notification and what is it actually doing ?
Assignee | ||
Comment 5•4 years ago
|
||
Unfortunately that profile doesn't have the information I need. Can you repeat that but using custom settings in the profiler, with the "all registered threads" checkbox checked? Thanks!
Reporter | ||
Comment 6•4 years ago
|
||
here it is:
https://share.firefox.dev/3ho2Sm7
Assignee | ||
Comment 7•4 years ago
|
||
Thanks. I forgot the thread I'm looking for doesn't get registered to the profiler, so we can't look at it directly. We may just have to back out bug 1658042 since without NSS and PSM changes it doesn't help anyway.
Reporter | ||
Comment 8•4 years ago
|
||
Well ... This makes sense to me.
Btw - is there a way for debugging this code at runtime ? (So that - we can track the chain of calls and see which part really hangs - I suspect it's sme native call for obtaining the certificates (may be due to the fact that my PC can't actually reach the domain controller currently - so the cert response is delayed for some reason)
Assignee | ||
Comment 9•4 years ago
|
||
If you're familiar with windbg you could try using that. The thread you're looking for will be running code in a library called osclientcerts
(or maybe osclientcerts-static
).
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 10•4 years ago
|
||
Bug 1658042 attempted to identify keys that could only handle legacy crypto
using CryptFindCertificateKeyProvInfo. However, it appears that this API can
be incredibly slow and potentially involve network I/O. This patch reworks
the legacy crypto handling by using CryptAcquireCertificatePrivateKey with the
CRYPT_ACQUIRE_SILENT_FLAG flag to avoid showing UI at inopportune times.
Comment 11•4 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7927a1705247 osclientcerts: rework legacy key handling to avoid slow APIs r=kjacobs
Comment 12•4 years ago
|
||
bugherder |
Comment 13•4 years ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Updated•4 years ago
|
Description
•