Closed Bug 271834 Opened 20 years ago Closed 20 years ago

Error code -12227 when client certificate requested but not available

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 107491

People

(Reporter: InvisibleSmiley, Assigned: darin.moz)

Details

User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041101 MultiZilla/1.7.0.0e
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041101 MultiZilla/1.7.0.0e

When I visit a page which requests a client certificate (I know an internal one
but don't like to post the address here) and none is available, Mozilla (tested
with Firefox 1.0 and current Suite nightly builds) says:
"[server name] has received an incorrect or unexpected message. Error code -12227."
Also see
http://www.dartmouth.edu/comp/support/library/software/security/pki/faqs/mozilla.html
which describes the same error.

Reproducible: Always
Steps to Reproduce:
1. Visit a website which requests a client certificate that you do no have installed
Actual Results:  
The described error appears in an alert box

Expected Results:  
Inform the user what went wrong and possibly how to solve the problem (install a
client certificate for the site requesting it)

Maybe someone else can give an example website where the problem appears.

*** This bug has been marked as a duplicate of 107491 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Component: Networking → Client Library
Product: Core → PSM
Version: Trunk → 1.01
QA Contact: benc → nobody
Product: PSM → Core
I can now reproduce this error, as I set up a require-always-client-auth test server at https://kuix.de:8443/

While I agree that PSM should report a better error message, 
-12227 means:
  SSL_ERROR_HANDSHAKE_FAILURE_ALERT

Should NSS really return with that error code?


NSS is returning an error with the most specific information it has about
what went wrong.  The server sent a general "handshake failure" alert.
Sounds like the server is returning the wrong alert code.  

Under the circumstances, considering the alert code we received, I don't
how NSS could better diagnose the situation.  

I suppose we could remember that the server requested client authentication,
and then when the handshake fails, we could report some error message to
the user that speculates "Failure might be related to client authentication".

But let's not fix that before fixing bug 107491.
Version: psm1.01 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.