Closed Bug 2044556 Opened 1 month ago Closed 1 month ago

Firefox failing to fallback to HTTP/2 or 1.1 when accessing mTLS protected sites over HTTP/3

Categories

(Core :: Security: PSM, defect)

Firefox 151
defect

Tracking

()

RESOLVED DUPLICATE of bug 2024567

People

(Reporter: viaguy, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0

Steps to reproduce:

Attempt to connect to a webserver running Nginx 1.31.2, with HTTP/3 QUIC enabled, using mTLS cert authentication.

Actual results:

The browser does not supply a certificate, nor does it prompt me to choose a certificate when the request was made over HTTP/3. It also does not fallback to HTTP/2 or lower, and instead appears to attempt the connection without a cert.

From my own testing with my own compiled instance of nginx with http3 quic enabled:
-If the nginx server has "ssl_verify_client" set to "on", the status becomes 400 with the message "No required SSL certificate was sent".

-If the nginx server has "ssl_verify_client" set to "optional", the browser still does not send a certificate, even though according to the nginx docs, it will still request that the browser supply a certificate. Albeit with a different outcome based on the server configuration, if it does not supply one.

Expected results:

Ideally, mTLS authentication would work over HTTP/3. I understand that this is not currently supported, as stated here: https://bugzilla.mozilla.org/show_bug.cgi?id=1888685

However, also stated there, Firefox should fallback to HTTP/2 or 1.1 gracefully, which does not appear to be happening in my testing.

So, I would say the realistic desired results should be that the browser correctly falls back to the next highest supported HTTP version when being requested to supply a certificate on HTTP/3.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 1 month ago
Duplicate of bug: 2024567
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.