Closed Bug 408025 Opened 17 years ago Closed 9 years ago

Asks for token password when visiting SSL sites with SSLVerifyClient set to none

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: bugzilla, Unassigned, NeedInfo)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 I have installed an eToken with certificate on it. Whenever I am visiting an https site for the first time after a browser restart, firefox asks me for the token password. Firefox should only asks to access that certificate if it needs it to comply with a website request of clientverify. Reproducible: Always Steps to Reproduce: 1.Install a secure token in Firefox 2.Put a certificate on that token 3.Visit a standard https website Actual Results: Firefox will ask and keep asking for the password of the device Expected Results: Firefox should leave the token alone if the website didn't set SSL client auth as optional or required. I have a feeling that FireFox cannot know what certificates are on the token before accessing it because it doesn't use a user certificate store like microsoft. It would be acceptable to have firefox query the token when a website requires authentication and then find out that no certificate match the CA. Firefox should not query the tokens when no SSL auth are asked.
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
I remember having seen such a report in the past. I know that something was done about that in NSS which fixed it for most tokens. But if I remember correctly, there are tokens with a broken behavior. I think NSS is trying to iterate through all available certificates, and some tokens require authentication before that works. Bob?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Dug in the source code and that's exactly it. NSS iterates all the DEVICES and tries to get a certificate list for each of them. Some PKCS #11 modules will ask for PIN before giving that. Any change that we can just skip the interation all together if the remote website doesn't ask for 2 way SSL auth?
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
Is this still an issue?
Flags: needinfo?(bugzilla)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.