Client certificate requests cause new connections to block until the dialog is resolved
Categories
(Core :: Networking, defect)
Tracking
()
People
(Reporter: eddiecarswell13, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
- Have a client certificate available to Firefox (e.g. smartcard, yubikey, or software certificate). You can generate one quickly on Linux with OpenSSL:
# Generate Cert
openssl req -new -x509 -out test.crt -keyout test.key -newkey rsa:2048 \
-sha256 -days 90 -config /etc/ssl/openssl.cnf -extensions v3_req \
-nodes -subj "/CN=Test User Cert"
# Convert to PKCS#12
openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt
# Enter an export password, then import the .p12 into Firefox
- Navigate to a site requiring a client certificate to connect, triggering the prompt. You might try this one if none is readily available. Or again, you can spawn one with OpenSSL:
# Generate Cert
openssl req -new -x509 -out server.crt -keyout server.key -newkey rsa:2048 \
-sha256 -days 90 -config /etc/ssl/openssl.cnf -extensions v3_req \
-nodes -subj "/CN=Test Server Cert"
# Start server with client cert authentication on port 8443
openssl s_server -cert server.crt -key server.key -WWW -port 8443 \
-verify_return_error -Verify 1
# Navigate to https://localhost:8443/
- Try to open a secure page in the same session (probably in a new window, since the dialog is window modal).
Actual results:
All new connections (HTTP or HTTPS) are blocked (held?) until the certificate prompt is resolved (regardless of whether or not the cert is sent). Afterwards, the pages load normally.
Bonus points if you're streaming (video or music) and you notice the stream stop when the buffer runs out due to no more media loading.
Expected results:
One TLS connection awaiting user interaction should not block further requests, especially when these requests are to another origin, in another process (affects private browsing too) or not even encrypted.
I've tested this in the latest Firefox Stable and Nightly (as of this writing). The issue has been present for some years as far as I remember. Just thought I'd report it now.
Reporter | ||
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
This is a limitation in NSS. It's on our roadmap to address in the near future.
Description
•