OpenSC 0.24.0 client side TLS certificate leads to network timeout
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
People
(Reporter: jona, Unassigned)
References
()
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
Steps to reproduce:
I'm using a YubiKey to authenticate myself to a web server which requires client-side TLS certificates for authentication. This worked fine with OpenSC version 0.23.0 (on MacOS and Linux (Windows untested)), but yields a timeout error on OpenSC version 0.24.0.
You can work around this issue by going to Settings -> Security Devices (under Certificates) -> Select the Smartcard under the OpenSC module -> Log In.
This will prompt the pin and after completing the login everything works as expected.
Actual results:
Opening an website which is protected by client-side TLS certificate authentication yields an network timeout error after 5 to 10 seconds. No PIN/Password prompt for the smart card is shown.
Expected results:
A PIN/Password prompt for the smartcard should be shown. After entering the correct PIN the page should load.
|
||
Comment 1•1 year ago
|
||
Moving this to Core and waiting for the developer's opinion about it.
If this is not the correct component, please feel free to change it to a more appropriate one. Thanks
|
||
Comment 2•1 year ago
|
||
Have you opened an issue with OpenSC? https://github.com/OpenSC/OpenSC/issues
No I have not. It works fine with Chromium Version 120.0.6099.216 on the same system. Although Chromium does not even prompt me to enter a PIN, which is a bit odd.
|
|
||
Comment 4•1 year ago
|
||
That was me indirectly asking you to please open an issue with OpenSC, since version 0.23.0 works but 0.24.0 doesn't.
Submitted an issue there https://github.com/OpenSC/OpenSC/issues/2987
|
|
||
Comment 6•1 year ago
|
||
Thank you!
Results of the OpenSC issue:
It looks like Firefox is not handling the Card Authentication (9e) slot of Yubikey correctly. This slot is special as it does not require a PIN for private key operations (see https://developers.yubico.com/PIV/Introduction/Certificate_slots.html). Moving the client side TLS certificate from the Card Authentication slot (9e) to any other slot which does require PIN entry (e.g. Key Management) will resolve the issue.
So I suppose the actual expected result should be:
No PIN/Password prompt is shown, the page loads normally.
|
||
Comment 8•1 year ago
|
||
The severity field is not set for this bug.
:keeler, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Comment 9•1 year ago
|
||
Can you run Firefox with the environment variable MOZ_LOG set to pipnss:4, MOZ_LOG_FILE set to some path you can log to, attempt to connect to the server, and attach the resulting file here?
|
Reporter | |
Comment 10•1 year ago
|
||
Seems logging to a file is broken. I tried the following
- Close all firefox processes
- Run
MOZ_LOG="pipnss:4" MOZ_LOG_FILE="/home/user/firefox.log" /usr/lib/firefox/firefox 'https://server.domain.tld' - Wait for timeout
- Close firefox (via the close button on the window)
Log file seems truncated randomly at the end, no idea why. Worked around it by logging to stdout (MOZ_LOG_FILE=/dev/stdout)
I attached the log output as file.
The browser gets stuck on
[Parent 568653: Socket Thread]: D/pipnss [7a3a61880190] ClientAuthCertificateSelected mTlsHandshakeCallback=7a3a5385cd80
and after the timeout it prints
[Parent 568653: Socket Thread]: D/pipnss [7a3a61880190] Shutting down socket
|
|
||
Comment 11•1 year ago
|
||
Thanks! Looks like the issue is either in NSS or, again, this is an OpenSC problem (or yubikey - have you tried with another smartcard?)
|
|
||
Comment 12•1 year ago
|
||
Another idea - could you get a stack trace of all stacks when the browser hangs?
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
Description
•