Closed Bug 214522 Opened 22 years ago Closed 21 years ago

crash while authenticating to this server

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: hauser, Assigned: KaiE)

References

(
URL
)

Details

(Keywords: regression)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030724 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030724 i guess they would like one of their own certificates Reproducible: Always Steps to Reproduce: 1. click on "Auth'd Login" on the left-vertical menu bar 2. choose my Thawte cert 3. crash Actual Results: immediate crash Expected Results: show authentication failure or alike
Yup, I can reproduce this at will. When I first visit https://secure.cacert.org/index.php?id=7 I have to choose to accept the cert from an untrusted CA. Then it asks me to choose a cert to authenticate myself. I choose my thawte cert and boom. The stack was in necko somewhere (sorry, I'm not running a debug build).
Assignee: ssaux → kaie
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: presenting a Thawte client certificate for auth crashes browsers → crash while authenticating to this server
I do not crash using Mozilla 1.4 regression
Keywords: regression
Works for me Mozilla 1.6 MacOS X 10.3
Following your instructions, having a personal thawte cert in an otherwise fresh profile, I do not crash on Linux with Mozilla 1.7.5. Are you still able to reproduce the crash with recent builds? Proposing WORKSFORME. Please reopen if I'm wrong.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
13 months after comment 1 above ... The behavior has changed. Now when I visit the cited URL, first I have to choose to accept the cert from an untrusted CA. But then I am not prompted to choose among my personal certs. Instead I get an error message that says: secure.cacert.org has received an incorrect or unexpected message. Error Code: -12227 An analysis of the SSL handshake with ssltap reveals that the server is now requesting client authentication ONLY with certs issued by that same CA. Since I do not have one from that CA, mozilla correctly does not prompt me to choose a cert. Therefore, I think that we do not know if the cause of the crash reported here has been fixed or not. I believe that the test server no longer reproduces the same conditions as before. Perhaps if we could find another SSL server with a cert from an unknown issuer, and which requests client authentication allowing a cert from thawte (or some other CA from which I have a cert), we could still reproduce this crash. That is speculation.
Nelson, I have configured what you suggested here: https://www.kuix.de/misc/test214522/ Still, it does not crash.
FYI, the web server will accept Thawte Personal Freemail certificates for authentication.
Kai, I tried your test server. Did not get prompted to choose a client cert. Looked at ssltap. Saw that your server did two handshakes on the same connection. The first did not request client auth. The second may have done so (it was encrypted, so I'm not sure) but I did not get a prompt to select a client cert. I suspect that the server's list of acceptable client CAs did not include any CAs from which I presently have certs. The server cited with this bug report requests client authentcation on the first handshake. I suspect that when this bug was filed, the cited server was configured to send an empty list of CA names to the client in the client auth request, and this crash *may* be related to that. Unfortunately, there is no ssltap record of the original failing handshakes,so we can only speculate. I have no problem leaving this bug resolved WORKSFORME until such time as we see it again.
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.