Closed Bug 1718844 Opened 4 years ago Closed 4 years ago

Getting SSL_ERROR_EXPIRED_CERT_ALERT error due to an old smart card certificate remembered decision

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox92 --- fixed

People

(Reporter: slavi, Assigned: keeler)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1718844 - handle certificates not being available in the remembered client authentication decision dialog r?rmf
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

I'm using a smart card certificate for authentication to a website.
It seems like I've used the "remember this decision" feature before.

Everything was working fine, but I've recently renewed my expiring smart card certificate.

Whenever I visit this website now, I immediately get a SSL_ERROR_EXPIRED_CERT_ALERT error. I don't get a prompt asking me which certificate to use.

Actual results:

Looks like Firefox was using a now-expired certificate -- some remembered decision from before.

It didn't provide a prompt telling me that there are other options (I do have a renewed certificate on this smart card now).

It didn't point me to Settings > Privacy & Security > View Certificates > Authentication Decisions, where I could manage such remembered decisions.

In any case, going to Settings > Privacy & Security > View Certificates > Authentication Decisions, I didn't see any remembered decisions that I could clear.

I have ended up manually deleting entries from the ClientAuthRememberList.txt file in my profile directory, which solved the problem.

Expected results:

I expect that Firefox would notice that this certificate is expired and bring the "prompt" again, despite me having said "remember this decision" some few years ago.

I also expect that whenever an error like SSL_ERROR_EXPIRED_CERT_ALERT (or similar) happens, Firefox would bring up a prompt asking for another certificate. Authentication has obviously failed, so it should provide other options instead of insisting on this.

It may have also told me about such remembered decisions and point me to Settings > Privacy & Security > View Certificates > Authentication Decisions, so I can edit these decisions.

In any case, I would have expected that the "Authentication Decisions" feature worked. It seems like it currently doesn't list anything.

Seems like this is 2 issues in one:

  • (bug) "Authentication Decisions" showed nothing, while there were obviously some remembered decisions, which I could clear manually from ClientAuthRememberList.txt

  • (enhancement) improving the current behavior -- selecting an expired certificate and not giving me other options or guides, but merely an SSL_ERROR_EXPIRED_CERT_ALERT error is not friendly

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

(In reply to slavi from comment #0)

I expect that Firefox would notice that this certificate is expired and bring the "prompt" again, despite me having said "remember this decision" some few years ago.

More than one year ago? The feature to persistently remember these decisions has only existed for a year...

  • (bug) "Authentication Decisions" showed nothing, while there were obviously some remembered decisions, which I could clear manually from ClientAuthRememberList.txt

Do you have a copy of ClientAuthRememberList.txt from before you edited it that you could share with me to diagnose this?

  • (enhancement) improving the current behavior -- selecting an expired certificate and not giving me other options or guides, but merely an SSL_ERROR_EXPIRED_CERT_ALERT error is not friendly

Please file a new bug for this in Firefox :: Security.

Flags: needinfo?(slavi)

I have sent the problematic ClientAuthRememberList.txt to your email. Thank you for looking into this!

Flags: needinfo?(slavi)

How does this build behave? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Vxe_78RrRrGmjvPKqZ31qA/runs/0/artifacts/public/build/target.tar.bz2 (it won't address the enhancement you suggested, but hopefully it'll fix the bug with remembered decisions not showing up)

Flags: needinfo?(slavi)

I can confirm that "Settings > Privacy & Security > View Certificates > Authentication Decisions" now displays remembered decisions correctly, so I can clear them up.

Thanks for the fix! I guess we can close this bug now. Although.. opening another one for some UI/UX improvements might be a good idea.

Flags: needinfo?(slavi)

This patch updates the remembered client authentication decision tab of the
certificate manager to gracefully handle cases where a certificate
corresponding to a remembered decision has been deleted from the user's
certificate store or if it lives on a token that has been removed.

Assignee: nobody → dkeeler
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [psm-assigned]
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a37aba3a983e handle certificates not being available in the remembered client authentication decision dialog r=rmf,fluent-reviewers

https://hg.mozilla.org/mozilla-central/rev/a37aba3a983e

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox92: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: