User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:184.108.40.206) Gecko/20060728 Firefox/220.127.116.11 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:18.104.22.168) Gecko/20060728 Firefox/22.214.171.124 If a website would accept several client certificates (in the example URL, those by wmcert.com and that from here: http://www.epointsystem.org/~nagydani/key ), the dialog prompting the user to pick one is presented for each element (inline image, css style file, etc.) of the webpage, which is very annoying. Even if it were useful (to pick a different client certificate for each inline image?), the dialog should have displayed the actual element it is about to download with the chosen cert. Of course "ask me every time" can be interpreted this way, but asking once per webpage would make more sense. Reproducible: Always Steps to Reproduce: 1. Create two certificates: one at http://www.epointsystem.org/~nagydani/key the other at https://www.wmcert.com 2. Set the following option in Firefox/Preferences.../Advanced/Security: When a web site requires a certificate: Ask me every time 3. Go to https://www.epointsystem.org Actual Results: The user is bombarded with dialogs for choosing a client cert. Expected Results: The user should be prompted once for chosing a client cert before loading the webpage with all its auxiliary files.
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.8 Branch
Status: UNCONFIRMED → NEW
Ever confirmed: true
Created attachment 236473 [details] ssltap logfile I followed the instructions from comment 0 and obtained two certs. I used the ssltap tool to trace the connection between client and server. Nelson, does the attached log file tell us who is the culprit for the repeated client auth prompts? Thanks
Yes, the server is making all these client auth cert requests happen. The server is giving the client an empty (zeor length) SSL "Session ID" in each connection, making it impossible for the client to restart the SSL session in subsequent handshakes. So the client does not have the choice of restarting the SSL session in subsquent connections. In each new connection, the client does not offer to "restart" a previous used session, because it has no session ID with which to do so. Because the client does not offer an old session ID to be restarted, the server is forced to do a "full" handshake. The server is obviously configured to request SSL client authentication in every FULL handshake. so it does so. The browser performs client auth every time it is asked to do so. The purpose of "ask every time" is precisely to ensure that the browser never does client auth without the user's explicit permission. The options for solution are: a) the server sends non-empty session IDs to the client, obviating client auth for subsequent handshakes between the same client and server, or b) the browser user configures his browser to automatically choose his client auth certificate, and to not ask for his master password more than once per browser process lifetime. This is all working as designed. No browser bug is manifested by this behavior.
Thanks for the analysis Nelson. Daniel, maybe you can file a bug with the the author of the server software in use, and point them to Nelson's explanation. Resolving bug as invalid, as no browser bug seems to be present.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
I disagree. As I indicated in the original bug report, I can accept this interpretation of "ask me every time", but in that case, the dialog MUST display the precise URL for which the user is required to pick a certificate. Otherwise, we have a situation, where the user is asked to make a security-sensitive (or, rather, privacy-sensitive) decision, without being given sufficient information.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
I agree that it would be very helpful if the user was being informed which site he was about to authenticate to, both at cert selection time and at the time when he is asked for the master password. I myself often find that I am being asked for a master password, and I don't know why (for what purpose) I am being asked.
Changed the bug summary to reflect the requested change from comment 5.
Summary: Dialog for choosing client certificate presented for each element (e.g. inline image) → client auth cert selection dialog should show URL requesting it
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
You need to log in before you can comment on or make changes to this bug.