Authentication failures using smartcard client authentication
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: pros, Unassigned)
Details
Attachments
(1 file)
|
900 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
We have encountered several authentication failures on a particular web site when using FF88 or FF89. Authentication is performed using a smartcard. This problem happens often on certain Windows (Win10 32 & 64) and macOS workstations. When the problem occurs it is possible to log-in to the site by using other web browsers (Chrome/Edge/Safari).
Once authentication fails all subsequent login attempts also fail when using Firefox. 'Repairing' Firefox (reinitialising the user profile) clears the problem and logins to the site function again.
We have discovered that when this problem occurs there is a second entry created in the user's 'ClientAuthRememberList.txt' file within their profile. After the initial authentication failure there is a duplicate entry in this file, for the same site and certificate, and its 3rd parameter is different. Deleting this second entry clears the problem until it happens again at some point in the future whereupon the second entry is recreated again.
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•3 years ago
|
||
Is this a recurring problem, or does it just happen once per profile?
Dana,
The problem occurs randomly across the end user base and doesn't affect all users. It appears to happen only once per user (or Firefox profile). We can't be completely certain but it looks like the problem doesn't happen again once the original issue has been resolved by deleting the 'ClientAuthRememberList.txt' file, at least we haven't been informed of any repeat cases at this stage.
|
|
||
Comment 4•3 years ago
|
||
And you're certain that removing the second line in attachment 9229890 [details] fixes it? (and not the third?)
Dana,
Please forgive me for the delay in replying.
I can't answer your question. It turns out that the people who intervene to resolve this issue for the end users simply delete the 'ClientAuthRememberList.txt' file and restart Firefox. My initial statement about deleting the 2nd line was due to a communication mix-up.
The end users are several entities below us so it's not easy to debug or get more information, asking for debugging actions to be performed is very difficult on top of the random nature of the problem. I'm not sure how to take this further. I'd be happy to take any sugesstions that you might have.
Regards,
Paul
Dana,
I think that you must be right. I believe that it is the 3rd line in the file that causes the authentication failure.
I managed to provoke what appears to be the same behaviour that has been described to us and the 'ClientAuthRememberList.txt' file contains just one line and it resembles the 3rd line that you asked about (with '... no client certificate' at the end).
Following the error I captured the 'ClientAuthRememberList.txt' file. Everytime I place this file into the Firefox profile directory I get the authentication falure (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) when trying to connect to the SSL site, straight after entering the PIN code when using our PKCS#11 module or before any PIN code is requested when using our CSP instead of the PKCS#11.
The Firefox 'Certificate Manager' -> 'Authentication decisions' -> 'Certificate name' column contains "Do not send client certificate" for the site in question.
I have since discovered that if I select 'Cancel' at the certificate selection dialog and 'Remember this selection' is checked then all subsequent attempts at connecting to the site fail with SSL_ERROR_HANDSHAKE_FAILURE_ALERT. When I encountered the problem I had NOT clicked 'Cancel'.
In my opinion, if we click 'Cancel' at this point then we are simply abandoning the connection attempt, we are not saying that we want Firefox to remember to never send a client certificate to this site.
It is this last paragraph above that makes me realise that I think I have seen discusion about this on Bugzilla or maybe mozilla-central somewhere.
My situation resulted from attempting to connect to the test site and having Firefox display the 'Security risk' page which I then had to select 'Advanced' followed by 'Continue anyway' (There is no problem with the site, this just happens occaisionally when using Firefox, and I've never seen it with Chrome or Safari). A PIN code was requested just before the 'Security risk' page and also immediately after clicking the 'Continue anyway' button. Subsequently the authentication failed and I could no longer authenticate to the site, even after restarting Firefox. This is the behaviour that has been reported by some of our end users. I have so far been unable to reproduce the behaviour that produced this 'ClientAuthRememberList.txt' file.
So, apart from Firefox placing the offending line when clicking 'Cancel' at the 'Select certificate' dialog, I think the bigger issue here is that Firefox ends up in a state where it sometimes puts this problematic line in the 'ClientAuthRememberList.txt' file.
Although in my opinion if Firefox never 'remembered not to send a certificate' then the issue would be mitigated.
Regards,
Paul.
|
|
||
Comment 7•3 years ago
|
||
This sounds like essentially bug 1657588. There is no code path by which Firefox can save a "Do not send client certificate" decision without showing that dialog.
Description
•