304336 - firefox doesn't properly handle certificate types in SSL/TLS client authentication

Status: RESOLVED INCOMPLETE

(Firefox :: Security, defect)

Description

[Robert Dugal]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050811 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050811 Firefox/1.0.6

When an SSL/TLS server request client authentication it sends a list of
certificate types which the client should use in selecting a client certificate.
Firefox allows the user to pick any available client certificate, regardless as
to whether the certificate is a valid choice based on the server's certificate
types.

For example, if the server sends a CertificateRequest message with only RSA_sign
as a valid certificate type, the client should only be able to pick client
certificates that contain RSA public keys signed with RSA signatures. However,
Firefox lets the user pick a certificate with a DSS key which may cause
authentication failures.

Reproducible: Always

Steps to Reproduce:
1. find a SSL/TLS server that supports client authentication using only RSA_sign
2. Connect to the server with https
3. When the client certificate selection dialog is shown, pick a non-RSA
certificate such as a DSS certificate

Actual Results:  
In tests with my server the SSL/TLS handshake fails

Expected Results:  
Limit the set of possible client certificates to those that match the server's
certificate types in the CertificateRequest message.

Comment 1

[Robert Dugal]

I forgot to mention that the CertificateRequest message also includes a list 
of certificate authorities. The client certificate returned by Firefox should 
be issued by one of the server's listed CAs and it should match the 
CertificateRequestType.

Comment 2

[martin tobias]

Am not totally technical but this seems to be a problem I have encountered with firefox 2.0.0.12

We live in france and access our individual accounts with french tax man

on latest version firefox fails to ask me to identify my certificate rather than my partners - (the normal process which permits access to unique space) but defaults to my partners cert 

this means that I cannot access my space  -- help!!!

Comment 3

[martin tobias]

Have checked - both certs are still there

Comment 4

[Tyler Downer [He/Him]]

This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME
http://www.mozilla.com
http://support.mozilla.com/kb/Managing+profiles
http://support.mozilla.com/kb/Safe+mode

Comment 5

[Tyler Downer [He/Him]]

No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.

Comment 6

[Tyler Downer [He/Him]]

No reply, INCOMPLETE. Please retest with Firefox 3.6.3 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.

Comment 7

[Robert Dugal]

Still broken in 3.6.3!
Firefox will let me pick any certificate in my personal certificates store, even certificate types that are not listed in the server's certificate request message.

Comment 8

[Tyler Downer [He/Him]]

If it's still broken, why did you marked FIXED?

Comment 9

[Robert Dugal]

I didn't know what correct status should be so I left it alone.

Comment 10

[Mihai Morar, (:MihaiMorar)]

Is this issue still present on Latest Nightly 25?