Closed Bug 1717743 Opened 3 years ago Closed 3 years ago

Client certificate requests cause new connections to block until the dialog is resolved

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 696976

People

(Reporter: eddiecarswell13, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

  1. Have a client certificate available to Firefox (e.g. smartcard, yubikey, or software certificate). You can generate one quickly on Linux with OpenSSL:
# Generate Cert
openssl req -new -x509 -out test.crt -keyout test.key -newkey rsa:2048 \
    -sha256 -days 90 -config /etc/ssl/openssl.cnf -extensions v3_req \
    -nodes -subj "/CN=Test User Cert"
# Convert to PKCS#12
openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt
# Enter an export password, then import the .p12 into Firefox
  1. Navigate to a site requiring a client certificate to connect, triggering the prompt. You might try this one if none is readily available. Or again, you can spawn one with OpenSSL:
# Generate Cert
openssl req -new -x509 -out server.crt -keyout server.key -newkey rsa:2048 \
    -sha256 -days 90 -config /etc/ssl/openssl.cnf -extensions v3_req \
    -nodes -subj "/CN=Test Server Cert"
# Start server with client cert authentication on port 8443
openssl s_server -cert server.crt -key server.key  -WWW -port 8443 \
    -verify_return_error -Verify 1
# Navigate to https://localhost:8443/
  1. Try to open a secure page in the same session (probably in a new window, since the dialog is window modal).

Actual results:

All new connections (HTTP or HTTPS) are blocked (held?) until the certificate prompt is resolved (regardless of whether or not the cert is sent). Afterwards, the pages load normally.

Bonus points if you're streaming (video or music) and you notice the stream stop when the buffer runs out due to no more media loading.

Expected results:

One TLS connection awaiting user interaction should not block further requests, especially when these requests are to another origin, in another process (affects private browsing too) or not even encrypted.

I've tested this in the latest Firefox Stable and Nightly (as of this writing). The issue has been present for some years as far as I remember. Just thought I'd report it now.

Summary: Client certificate requests cause new TLS connections to block until the dialog is resolved → Client certificate requests cause new connections to block until the dialog is resolved
OS: Unspecified → All
Hardware: Unspecified → All

Can you take a look?

Flags: needinfo?(dkeeler)

This is a limitation in NSS. It's on our roadmap to address in the near future.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.