SSL_ERROR_HANDSHAKE_FAILURE_ALERT when trying to ID prepaid card
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: gcp, Unassigned, NeedInfo)
References
Details
Attachments
(1 file)
|
54.93 KB,
image/png
|
Details |
eid.png
This is a required ID procedure to use my phone. Trying to do this with Nightly proceeds to reading my national eID card, but then fails with an "incorrect phone number" message.
The same procedure works with Chrome, so I tested release 89.0.2. It doesn't even get that far, but fails almost immediately with SSL_ERROR_HANDSHAKE_FAILURE_ALERT.
I notice we have unconfirmed bugs like bug 1271618 and bug 1563835 that link the same error to PIN code/smartcard usage, so this might not be a pure SSL issue.
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #0)
This is a required ID procedure to use my phone.
Are you on your phone when you do this or on another device? (as in, are you using desktop Firefox or Firefox for Android or something?)
Trying to do this with Nightly proceeds to reading my national eID card
What does this mean? Does Nightly ask you to use a client certificate to access that site?
, but then fails with an "incorrect phone number" message.
Is this a message from the website or Firefox?
I notice we have unconfirmed bugs like bug 1271618 and bug 1563835 that link the same error to PIN code/smartcard usage, so this might not be a pure SSL issue.
Is Firefox asking you to enter a PIN?
|
Reporter | |
Comment 2•4 years ago
•
|
||
Are you on your phone when you do this or on another device?
This is on a Windows desktop.
What does this mean? Does Nightly ask you to use a client certificate to access that site?
Yes.
Is this a message from the website or Firefox?
The website. (The error is weird, i.e. it working on Chrome seems to indicate that phone number validation failure only happens in Firefox)
Is Firefox asking you to enter a PIN?
Yes, the PIN is asked (and it looks like it's accepted, as it's not asked again), but then the phone number error happens.
|
|
||
Comment 3•4 years ago
|
||
Thanks for your patience with my slow response. Can you get a packet trace (using e.g. wireshark) of the Chrome TLS handshake with that site vs. the Firefox handshake with that site?
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 4•3 years ago
|
||
|
|
Reporter | |
Comment 7•3 years ago
|
||
Attached packet traces - I hope I got the right stream. From eyeballing, Firefox fails to include the client certificate, while Chrome does. At the place where Firefox fails, Chrome displays the dialog as in the screenshot.
|
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 8•3 years ago
|
||
Yes, the PIN is asked (and it looks like it's accepted, as it's not asked again), but then the phone number error happens.
I didn't get asked a pin this time. Instead, Firefox displayed a dialog with only 1 certificate - not the right one and not the one from the card in the reader. If I cancel, I get the error from the description. Firefox never again shows or asks for which certificate I want.
|
|
Reporter | |
Comment 9•3 years ago
|
||
My experience matches the "see also" bug, where that user reports:
Before upgrade Firefox was prompting users to choose Certificates. After upgrade, user is never prompted to choose.
|
|
Reporter | |
Comment 10•3 years ago
|
||
Marking S2: This is a required ID procedure to use my phone. The only workaround is to switch to Chrome.
|
|
||
Comment 11•3 years ago
|
||
In about:preferences -> View Certificates... -> Authorities, do you see either Belgium Root CA3 or Citizen CA?
If you can go through the authentication process again with the environment variable MOZ_LOG set to pipnss:4 and get the logging output, that would help too. The easiest way I know of to do this is in powershell:
$env:MOZ_LOG = 'pipnss:4'
Start-Process -FilePath 'C:\Program Files\Mozilla Firefox\firefox.exe' -RedirectStandardError $HOME\Desktop\log.txt
Thanks!
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 12•3 years ago
|
||
Resetting the needinfo, I "resolved" this by going to a physical store and have them read in my ID card but I'd like to investigate this deeper still.
Description
•