Asks for token password when visiting SSL sites with SSLVerifyClient set to none




11 years ago
3 years ago


(Reporter: bugzilla, Unassigned, NeedInfo)


Firefox Tracking Flags

(Not tracked)





11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20071127 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/20071127 Firefox/

I have installed an eToken with certificate on it. Whenever I am visiting an https site for the first time after a browser restart, firefox asks me for the token password. Firefox should only asks to access that certificate if it needs it to comply with a website request of clientverify.

Reproducible: Always

Steps to Reproduce:
1.Install a secure token in Firefox
2.Put a certificate on that token
3.Visit a standard https website
Actual Results:  
Firefox will ask and keep asking for the password of the device

Expected Results:  
Firefox should leave the token alone if the website didn't set SSL client auth as optional or required.

I have a feeling that FireFox cannot know what certificates are on the token before accessing it because it doesn't use a user certificate store like microsoft. It would be acceptable to have firefox query the token when a website requires authentication and then find out that no certificate match the CA. Firefox should not query the tokens when no SSL auth are asked.
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
I remember having seen such a report in the past.

I know that something was done about that in NSS which fixed it for most tokens.

But if I remember correctly, there are tokens with a broken behavior.

I think NSS is trying to iterate through all available certificates, and some tokens require authentication before that works.

Ever confirmed: true

Comment 2

11 years ago
Dug in the source code and that's exactly it. NSS iterates all the DEVICES and tries to get a certificate list for each of them. Some PKCS #11 modules will ask for PIN before giving that. Any change that we can just skip the interation all together if the remote website doesn't ask for 2 way SSL auth?
reassign bug owner.
Assignee: kaie → nobody
Is this still an issue?
Flags: needinfo?(bugzilla)
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.