ff unusable with smartcard
Categories
(Core :: Networking, defect)
Tracking
()
People
(Reporter: mvogt1, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
I'm starting ff on linux and monitor the pcscd commands with
pcscd -f --apdu --debug
and then open one tabs with a https web page.
- The firefox start takes too long.
- Everything blocks, GUI not responsive.
- Everything is too slow.
I monitor around 5000 calls to the smartcard mostly CMD_GET_READERS_STATE
after opened three tabs.
After I opend another tab the whole process starts again.
The smartcard is exported with vmware horizon, so every call travels over network.
Horizon uses the same approach as freerdp[MS-RDPESC] and here the slow down
becomes obvious.
As a result: I cannot use ff with a smartcard inserted, even if I dont use smartcard
for an authentication.
Actual results:
I cannot connect to a webpage using smartcard, because before ff has
issued all calls to the card the session is expired.
Expected results:
I think ff should not call so many times CMD_GET_READERS_STATE and maybe other
PCSCD calls.
It should not start again the whole process if I open another tab.
For reproduction a freerdp/Horizon setup is not necessary.
pcscd shows the amount of redundant calls to the pcsc layer.
Something is broken.
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
Hi Dana,
Do you know if this is related to OS client certificate?
(In reply to Kershaw Chang [:kershaw] from comment #2)
Do you know if this is related to OS client certificate?
No - osclientcerts isn't available for Linux.
What PKCS#11 modules do you have installed? (about:preferences -> Security Devices)
|
Reporter | |
Comment 4•2 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #3)
(In reply to Kershaw Chang [:kershaw] from comment #2)
Do you know if this is related to OS client certificate?
No - osclientcerts isn't available for Linux.
What PKCS#11 modules do you have installed? (
about:preferences->Security Devices)
Its from cryptovision a read only driver for starcos 3.2.
In contrast to opensc it only offers support for one card.
The opensc driver is even more resource intensive, it probes for every slot every ATR/driver combination.
Here I see the "get reader states", which should be issued by the mozilla api, but I dont know the source code, of course.
The issue was not that obvious with older ff version, at least it did work some time agoi, with some older versions, but it was never fast.
(I don't know the "fast enough" release, but I can try to find out.) But its an older esr, I'm using rhel7)
Can you use the profiler to see what the hot code paths are? https://profiler.firefox.com/ (use custom settings, include the socket thread, and add "ssl" to the list of threads)
|
|
Reporter | |
Comment 6•2 years ago
|
||
I debugged it here:
https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/673
it turns out that its opensc fault in rhel8:
- opensc configured in p11-kit is responsible for the packet storm on pcscd.
==> I think the ticket can be closed.
removing opensc and ff behaves as expected. :)
(I thought opensc.module in p11-kit was installed/configured, I was wrong)
|
|
Reporter | |
Comment 7•2 years ago
|
||
(I thought opensc.module in p11-kit was installed/configured, I was wrong)
I meant "not installed".
Description
•