Closed Bug 1729700 Opened 3 years ago Closed 3 years ago

Client certificate dialog 'Cancel' prevents further SSL connectons with ANOTHER certificate of ANOTHER smart card for same site

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
Firefox 92
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1657588

People

(Reporter: bertrand.perret, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

Steps to reproduce:

Verify there's no ClientCertRememberList.txt file in the current used Firefox profile.

Access to the site requesting client certificate from the 1st smart card.

Enter the right PIN code card.

The client certificate dialog appears.

Click 'Cancel' which dismisses the dialog.

Firefox displays the connection error (which is the expected result)

Close Firefox.

In the user profile, ClientCertRememberList.txt file is created with following line (as example of our test):
testssl.asipsante.fr,18:3D:C8:BC:8C:0B:7E:75:3A:E5:CF:A7:C0:50:58:AD:9D:28:EF:5B:9B:31:62:95:18:2B:15:23:ED:DE:4D:2B, 0 18878 no client certificate

Now, insert another CPS card containing a valid authentication certificate.

Re open Firefox.

Access to the same site requesting client certificate from the 2nd smart card.

Enter right PIN code card.

The client certificate dialog appears.

Click 'OK'

Actual results:

Actual behaviour:

Firefox displays the connection error (which is not what would be desired since it's another card and therefore another certificate)

Expected results:

Which is expected:

two things :

** the SSL connection succeeds and card infos are displayed for the 2nd card.
** Firefox continues refuseing connections in case of using the first card.

Component: Untriaged → Security

The above test was done on Windows platform to be precise.

Summary: Client certificate dialog 'Cancel' prevents connecting with ANOTHER certificate of ANOTHER smart card for same site → Client certificate dialog 'Cancel' prevents further SSL connectons with ANOTHER certificate of ANOTHER smart card for same site
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Hi Dana,

Do you intend to modfy the "OK" button logic when two identities (authentication certificates) are used by the end user for the same site

  • one identity is marked 'no client certificate' in ClienAuthRememberedList.txt (and therefore is no more usable)
  • the other identity should be usable by Firefox as long as it's not 'cancelled' too and enable SSL connection to the site
    ?

Is this enhancement schedulded in the other ticket 1657588 ?

Flags: needinfo?(dkeeler)

The purpose of bug 1657588 is to clarify what happens when a user clicks "cancel" on that dialog - namely, that Firefox will not send a client certificate. If the "remember this decision" box is checked, Firefox will remember that decision to not send a client certificate. If a user wants to use a different certificate, they'll have to delete the saved decision in the certificate manager.

Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.