Closed Bug 1835103 Opened 2 years ago Closed 2 years ago

When attempting to authenticate using a CPS (French Healthcare Professional's Card) smartcard Firefox's 'Certificate Selection' dialog is not displayed therefore authentication cannot proceed.

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Version:
Firefox 114
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 blocking verified
firefox115 blocking fixed
firefox116 --- fixed

People

(Reporter: pros, Assigned: keeler)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [psm-assigned][psm-smartcard])

Attachments

(4 files)

FF_mozregression_Output.txt
2.34 KB, text/plain
Details
FF114b8 Failed authentication log
364.94 KB, application/octet-stream
Details
FF113-0-2 Successful authentication log
3.88 MB, application/octet-stream
Details
Bug 1835103 - reset speculative connections where the peer asks for a client authentication certificate r?jschanck!,kershaw!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review

Steps to reproduce:

On macOS Big Sur and Ventura (not tested on Monterey):
Navigate to an https page that requires client certificate authentication. The certificate is smartcard based.

Actual results:

No Certificate Selection dialog is displayed.

Expected results:

The Certificate Selection dialog should be displayed in order to select the authentication certificate on the smartcard.

Debug log from failed authentication attempt.

Debug log from Firefox 13.0.2 with successful authentication

Summary: When attempting to authenticate using a CPS (French Healthcare Professional's Card) smartcard, the Firefox's Certificate selection dialog is not displayed therefore authentication cannot proceed. → When attempting to authenticate using a CPS (French Healthcare Professional's Card) smartcard Firefox's 'Certificate Selection' dialog is not displayed therefore authentication cannot proceed.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

If you disable speculative connections (try setting browser.urlbar.speculativeConnect.enabled to false and network.http.speculative-parallel-limit to 0 in about:config), does it work?

Flags: needinfo?(pros)
Regressions: 1813618

Hello Dana.

Setting 'browser.urlbar.speculativeConnect.enabled' to false and 'network.http.speculative-parallel-limit to 0' as you suggested does allow the authentication to succeed.

The fact that Firefox 114 requires changes to its configuration in order for authentication via CPS smartcard to work is a problem in itself.

Can this issue be resolved, there will be many healthcare professionals affected by this change once Firefox 113.X starts to automatically upgrade to 114.

Flags: needinfo?(pros) → needinfo?(dkeeler)

Thanks for testing that out. We're looking into this bug, but I can't guarantee a specific time it'll be fixed or addressed. In the meantime, I recommend you use Firefox ESR if you need more of a long-term support version of Firefox.

Flags: needinfo?(dkeeler)
Assignee: nobody → dkeeler
Severity: -- → S3
Priority: -- → P1
Whiteboard: [psm-assigned][psm-smartcard]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Regressed by: 1813618
No longer regressions: 1813618

I am raising the severity and setting it as a release blocker, we'll build a RC3 tonight with a backout of bug 1813618

Paul, would you be able to test our release candidate if I send you the link tomorrow? Thanks

Severity: S3 → S2
tracking-firefox114: +blocking
Flags: needinfo?(pros)

Hi Pascal.

I am on leave from tonight and return on Tuesday. You can send the release candidate to my colleaque Alvaro (who is copied on this Bugzilla ticket) by posting a reply/link here and he will be able to perform tests for you.

Flags: needinfo?(pros)

Our new release candidate is available here:
https://ftp.mozilla.org/pub/firefox/candidates/114.0-candidates/build3/

Here are the French Windows build installers
https://ftp.mozilla.org/pub/firefox/candidates/114.0-candidates/build3/win64/fr/

Alvaro, could you confirm that these builds work for you? Thanks!

Flags: needinfo?(alvaro.rocha)

Successfully tested with this Firefox release candidate 114.0 on :

  • macOS with TokenDriver
  • macOS with PKCS#11 library
  • Windows with CAPI (Mindidriver/CSP)
  • Windows with PKCS#11 library
Flags: needinfo?(alvaro.rocha)

(In reply to Alvaro from comment #11)

Successfully tested with this Firefox release candidate 114.0 on :

  • macOS with TokenDriver
  • macOS with PKCS#11 library
  • Windows with CAPI (Mindidriver/CSP)
  • Windows with PKCS#11 library

Awesome, thanks Alvaro!

status-firefox114: fixedverified

Hi Paul, this is a build with a potential fix: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/GmVLELuoS_y6H90mPkfcOA/runs/0/artifacts/public/build/target.dmg
Could you test it out? Thanks!

Flags: needinfo?(pros)

Speculative connections to servers that request a client authentication
certificate can't make progress, because PSM buffers the "select a client
authentication certificate" dialog (otherwise, the dialog would show up
unexpectedly), but Necko won't claim the connection until the TLS handshake has
completed (which it won't, because the user needs to select a client
authentication certificate first). So, the only option is to cancel the
connection and have Necko make a new non-speculative connection.

Hello Dana.

That Nightly version works OK for us. Tested with our PKCS#11 and Tokendriver on Monterey.
Thanks.

Flags: needinfo?(pros)
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b050ec8a3a18 reset speculative connections where the peer asks for a client authentication certificate r=jschanck,kershaw

https://hg.mozilla.org/mozilla-central/rev/b050ec8a3a18

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(dkeeler)

Comment on attachment 9337746 [details]
Bug 1835103 - reset speculative connections where the peer asks for a client authentication certificate r?jschanck!,kershaw!

Beta/Release Uplift Approval Request

  • User impact if declined: French physicians won't be able to log in to websites necessary to do their jobs.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This patch is very small, and there are automated tests.
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(dkeeler)
Attachment #9337746 - Flags: approval-mozilla-beta?

Comment on attachment 9337746 [details]
Bug 1835103 - reset speculative connections where the peer asks for a client authentication certificate r?jschanck!,kershaw!

Approved for 115.0b5.

Attachment #9337746 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Paul, could you please verify on your end if the issue is fixed on Firefox 115 Beta 5?
Thank you!

Flags: needinfo?(pros)

Hi Camelia,

We have tested FF 115 Beta 5 and authentication works OK on macOS Monterey and Windows.

Thanks.

Flags: needinfo?(pros)
See Also: → 1856972
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: