Firefox failing to fallback to HTTP/2 or 1.1 when accessing mTLS protected sites over HTTP/3
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: viaguy, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Steps to reproduce:
Attempt to connect to a webserver running Nginx 1.31.2, with HTTP/3 QUIC enabled, using mTLS cert authentication.
Actual results:
The browser does not supply a certificate, nor does it prompt me to choose a certificate when the request was made over HTTP/3. It also does not fallback to HTTP/2 or lower, and instead appears to attempt the connection without a cert.
From my own testing with my own compiled instance of nginx with http3 quic enabled:
-If the nginx server has "ssl_verify_client" set to "on", the status becomes 400 with the message "No required SSL certificate was sent".
-If the nginx server has "ssl_verify_client" set to "optional", the browser still does not send a certificate, even though according to the nginx docs, it will still request that the browser supply a certificate. Albeit with a different outcome based on the server configuration, if it does not supply one.
Expected results:
Ideally, mTLS authentication would work over HTTP/3. I understand that this is not currently supported, as stated here: https://bugzilla.mozilla.org/show_bug.cgi?id=1888685
However, also stated there, Firefox should fallback to HTTP/2 or 1.1 gracefully, which does not appear to be happening in my testing.
So, I would say the realistic desired results should be that the browser correctly falls back to the next highest supported HTTP version when being requested to supply a certificate on HTTP/3.
Comment 1•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•1 month ago
|
Description
•