Cant load https://www.commbank.com.au/ pages with ADCS certificate installed
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: courtjesterau, Unassigned)
Details
Attachments
(10 files)
|
56.61 KB,
image/png
|
Details | |
|
80.57 KB,
image/png
|
Details | |
|
1.87 KB,
application/x-x509-ca-cert
|
Details | |
|
7.81 MB,
application/x-gzip
|
Details | |
|
8.72 MB,
application/x-gzip
|
Details | |
|
8.24 MB,
application/x-gzip
|
Details | |
|
4.10 MB,
application/x-gzip
|
Details | |
|
133.07 KB,
image/png
|
Details | |
|
20.12 KB,
text/plain
|
Details | |
|
38.27 KB,
text/plain
|
Details |
ffss1.PNG
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Steps to reproduce:
When I have a user certificate issued by my ADCS server I can not load any web pages from https://www.commbank.com.au/
once I remove the certificate from the personal store and restart firexox it works
I have tried removing and re issuing the certificate many times and the result is the same - the certificate is for wifi authentication with radius and has nothing to do with web browsing.
Actual results:
the page does not load and causes the entire browser to freeze / hang for some time
Expected results:
the webpage loads
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
By "user certificate" do you mean client authentication certificate? Why do you have it installed in Firefox if it has nothing to do with web browsing? (does it show up as from the "OS Client Cert Token"?)
Can you attach the certificate in question to this bug? Are you behind a VPN, do you have antivirus scanning TLS connections, or do you have some other kind of TLS-intercepting device between you and the site you're trying to reach?
Yes a client authentication certificate used for wifi-- it is in the personal certificate store in windows for the logged in user.
- I have not specifically added it to Firefox FF picks it up and shows it in its certificate manager
This was tested on a brand new install win 1124h2 laptop there is no AV other than windows defender that comes with windows. no TLS intercepting is happening in the network and no VPN is used.
I narrowed it down to the certificate as I notices it would not work on a domain user but a local user (no certificate) it worked fine and the only disabled group policies until it was the user certificate removal that allowed it to work.
I will add the certificate in question to the ticket
|
|
||
Comment 7•1 year ago
|
||
Thanks! Can you get a profile of the hang with https://profiler.firefox.com/, upload that, and attach a link here?
I think I did this correctly if it is not right let me know ill create a new one
|
|
||
Comment 10•1 year ago
|
||
Thanks! Can you capture another profile, but with custom settings specifying Socket Thread and ssl under "Add custom threads by name"?
|
Reporter | |
Comment 11•1 year ago
|
||
new profile - I will add another one from the say system i did the first ones from later tonight
|
|
||
Comment 12•1 year ago
|
||
Thanks! Can you do one more but with osclientcerts in the custom thread list?
|
|
Reporter | |
Comment 13•1 year ago
|
||
this should be a profile with the extra setting as requested
|
|
||
Comment 14•1 year ago
|
||
Thanks! Do you happen to have a bunch of certificates all with the same issuer and subject? If you can, maybe delete ones you don't need and see if that works? (you'll need to do it in the Windows certificate manager, not Firefox)
|
|
Reporter | |
Comment 15•1 year ago
|
||
I only have 1 x machine certificate and 1 x user certificate from this certificate server and deleting the machine certificate makes no difference
only deleting the user one allows it to work.
|
|
||
Comment 16•1 year ago
|
||
Do you have a number of certificates either in Firefox or in Windows with the subject and issuer common name of Aheadit-ADCS-CA?
|
|
Reporter | |
Comment 17•1 year ago
|
||
Yes that is the certificate for the CA server ( what is used to validate the user / machine cets) and it has a chain that sits in trusted root certificate authorities folder in certificate store I cant remove them all or the machine / user certificates will not be valid. and wont work.
|
|
Reporter | |
Comment 18•1 year ago
|
||
I removed all the extra certificates except the required CA and it still does not woth with a personal certificate installed once I remove the personal certificate it works
|
|
Reporter | |
Comment 19•1 year ago
|
||
certificate store with CA certificate
|
|
||
Comment 20•1 year ago
|
||
What's happening is when your client certificate is available, Firefox is trying to verify that it's a suitable certificate to send to the server that requested it. That involves building a chain from it to the issuers the server says it trusts. When there are a number of certificates that each have the same subject and issuer distinguished name, the number of potential paths gets very large. This is what's taking to long and causing the connection to time out. So, I'm trying to figure out where all of these extra certificates are coming from. Can you look in Firefox's certificate manager for these certificates? Also, doing the following would help:
- Enable the browser console by setting the preference
devtools.chrome.enabledtotrueinabout:config(if you don't see it, uncheck theShow only modified preferencescheckbox) - Open the browser console with
command+shift+j - Run the following:
Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent).getEnterpriseRootsPEM()
Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent).getEnterpriseIntermediatesPEM() - Paste the results here either as a comment or as an attachment
|
|
Reporter | |
Comment 21•1 year ago
|
||
sorry for the late reply to this here is the output
Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent).getEnterpriseRootsPEM()
"-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIQdQ/7aIRQeZFF2NuzeNqTfDANBgkqhkiG9w0BAQsFADA+
MRIwEAYKCZImiZPyLGQBGRYCQVUxEzARBgoJkiaJk/IsZAEZFgNHUkMxEzARBgNV
BAMTCkNBLVJPT1QtQ0EwHhcNMjMwMzIyMDExNjAwWhcNNDMwMzIyMDEyNTU5WjA+
MRIwEAYKCZImiZPyLGQBGRYCQVUxEzARBgoJkiaJk/IsZAEZFgNHUkMxEzARBgNV
BAMTCkNBLVJPT1QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD
MWWNadkpGIU2gsdlKNhfR4xPRkUK5ALoRQtoJ/syso26eMBoVTyf+hMEGQ9JNG0A
7BoSfhX7QECWluEEN1CwWNxnojuwbEMJlqYvKJerK5423WJHyfww+rDKGFhGf3lg
bOJeD4YRoOKp+CdMvGhh2Os7UeCNzUa9IMeP3ygeYW2qx7cHoC+bae0KrXbk+2ba
LquSp6Fsz9Gm2eePbUg4reMaCyubmL+vqTmqKNcxugczB3izUOxy12AOZvF3eBua
3c4vmsaelrqPxDxbrYE2j7Mjlrj0KTNISopZXJXzjXhlb4cEdaGGxGuB3Vuuo6uL
dvqVi7IKOreNpDx31DodAgMBAAGjeDB2MAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQKePAHB5tRmc313tq68Dva8GTfFzASBgkrBgEEAYI3
FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBSNYBBUWY+SdoC33jAXr2E5BDAueTAN
BgkqhkiG9w0BAQsFAAOCAQEAf4U9vHPuZfuUi9mr1FzMqA7r9qVXJK2bmXtZsgF7
tstGSaVpwKjzhjUUe4PSxLISD/6RtoJc6zNs19CzIcCP7yePUTxd44ip2TJyKr…"
Cc["@mozilla.org/psm;1"].getService(Ci.nsINSSComponent).getEnterpriseIntermediatesPEM()
"-----BEGIN CERTIFICATE-----
MIIByjCCAXSgAwIBAgIQBjdsAKoAZIoRz7jUqlw19DANBgkqhkiG9w0BAQQFADAW
MRQwEgYDVQQDEwtSb290IEFnZW5jeTAeFw05NjA1MjgyMjAyNTlaFw0zOTEyMzEy
MzU5NTlaMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MFswDQYJKoZIhvcNAQEBBQAD
SgAwRwJAgVUiuYqkb+3W59lmD1W8183VvE5AAiGisfeHMIVe0vJEudybdbb7Rl9C
tp0jNgveVA/NvR+ZKhBYEctAy7WnQQIDAQABo4GeMIGbMFAGA1UEAwRJE0dGb3Ig
VGVzdGluZyBQdXJwb3NlcyBPbmx5IFNhbXBsZSBTb2Z0d2FyZSBQdWJsaXNoaW5n
IENyZWRlbnRpYWxzIEFnZW5jeTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRj
oRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwDQYJ
KoZIhvcNAQEEBQADQQAtLj57iUKJP6ghF/rw9cOV22JpW8ncwbP68MRvb2Savecb
JWhyg2e9VrCNAb0q98xLvYeluocgTEIRQa0QFzuM
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIQdQ/7aIRQeZFF2NuzeNqTfDANBgkqhkiG9w0BAQsFADA+
MRIwEAYKCZImiZPyLGQBGRYCQVUxEzARBgoJkiaJk/IsZAEZFgNHUkMxEzARBgNV
BAMTCkNBLVJPT1QtQ0EwHhcNMjMwMzIyMDExNjAwWhcNNDMwMzIyMDEyNTU5WjA+
MRIwEAYKCZImiZPyLGQBGRYCQVUxEzARBgoJkiaJk/IsZAEZFgNHUkMxEzARBgNV
BAMTCkNBLVJPT1QtQ0EwggEiMA0GCSqG…"
|
|
||
Comment 22•1 year ago
|
||
Thanks - unfortunately, I think the console "helpfully" cut off the entirety of what you were copying. There should be a little triangle at the beginning of the first line of output in each case that you can click to get it to give you the entire output.
|
|
Reporter | |
Comment 23•1 year ago
|
||
|
|
Reporter | |
Comment 24•1 year ago
|
||
|
|
||
Comment 25•1 year ago
|
||
Great! So it looks like you have at least 12 certificates each with the same subject and issuer (the ones with the common name "Aheadit-ADCS-CA"). Since that's the issuer of your client auth certificate, when Firefox tries to find the appropriate issuers to send along with it in the TLS handshake, it runs into this thicket of certificates that all could plausibly have issued the others, which means a very large search space. Can you try and remove those extraneous certificates from you Windows certificate store?
If it helps, here are their serial numbers:
77 E4 78 6F 5C 3D 63 9D 4A 73 58 54 F3 C9 EE 5A
3E 5E F7 69 2F DB 64 99 40 9D AA 79 DF 76 9A A8
75 0F AF 73 C1 3B B1 9C 4B B0 9D B8 CF 55 CE 86
2D 00 00 00 51 7F 6A FB 0E 0A 9D 2E 71 00 02 00 00 00 51
2D 00 00 00 4D 05 D9 59 97 03 18 F4 D9 00 01 00 00 00 4D
2D 00 00 00 50 72 0E 4E 0A D3 72 3D D2 00 01 00 00 00 50
2F 9C D1 5A 56 3D 11 BE 40 B5 A7 6D D3 68 9A 56
2D 00 00 00 4C 62 CB 74 30 50 AC 1B 32 00 00 00 00 00 4C
2D 00 00 00 6B 4F AD 51 0F 4E B7 09 B0 00 03 00 00 00 6B
2D 00 00 00 6A 50 33 88 CC 52 29 BB F8 00 02 00 00 00 6A
26 8F E6 C9 DD E8 F6 99 44 CC 4D 90 FA 8F 0A 78
74 F8 79 22 92 A2 59 8B 4A 5E 41 3C 0E 49 F1 78
|
|
||
Comment 26•7 months ago
|
||
A needinfo is requested from the reporter, however, the reporter is inactive on Bugzilla. Given that the bug is still UNCONFIRMED, closing the bug as incomplete.
For more information, please visit BugBot documentation.
Description
•