Closed Bug 1746532 Opened 2 years ago Closed 2 years ago

Positive client certificate choices don't persist

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1139205

People

(Reporter: da-wgh, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

  1. Open a website that requests a client certificate
  2. In the dialog window, choose a certificate, checking "remember choice"
  3. Exit the browser, or close the tab and wait for a while so persistent HTTPS connections get torn down
  4. Open the website again

Actual results:

Firefox asks for a certificate again.

Expected results:

Firefox doesn't ask for a cert, and sends the remembered certificate again.

This is supposed to be fixed in bug 634697, but the "fix" somehow made things worse. I'll give you my debugging notes.

I don't understand what's going on. I even tried deleting ClientAuthRememberList.txt to start from the scratch.

It seems the positive choice does get stored into ClientAuthRememberList.txt (at the browser exit):

redacteddomain.com,1D:D6:F3:7F:CE:5B:3C:B5:BB:7D:B1:70:9F:5A:B8:CF:74:57:F8:28:E0:A4:3D:68:9D:A1:8F:C6:A:CF:CA:07,^partitionKey=%28https%2Credacteddomain.com%29 0 18977 AAAAAAAAAAAAAAAgAAAAG37PGiMvTjDNYl5mJDIHUdTyal0gCLu4tnnlsaxCSFV5MBkxFzAVBgNVBAMM<redacted>

But it has no effect whatsoever. Every time I visit the site again (after a delay so persistent HTTPS connections get closed), I get asked for a cert. "Authentication Decisions" in the UI shows an empty list.

But if I hit cancel just once, the negative choice replaces the positive choice quoted above (ditto: the file gets rewritten at the browser exit):

redacteddomain.co,1D:D6:F3:7F:CE:5B:3C:B5:BB:7D:B1:70:9F:5A:B8:CF:74:57:F8:28:E0:A4:3D:68:9D:A1:8F:C6:8A:CF:CA:07,^partitionKey=%28https%2Credacteddomain.con%29 1 18978 no client certificate

And I never get asked for a cert ever again. Not even after browser restart. The "Authentication Decisions" still shows an empty list.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

I personally know two other persons with the same problem. Firefox versions is 95 and unknown correspondingly. All of us are running Linux.

After throughout debugging, I determined that the underlying cause of my problem was bug 1139205.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

Having zero useful logging and resorting to rebuilding both firefox and nss with debug symbols and single-stepping with gdb was not really fun, I have to admit.

You need to log in before you can comment on or make changes to this bug.