Closed Bug 408025 Opened 17 years ago Closed 8 years ago

Asks for token password when visiting SSL sites with SSLVerifyClient set to none

Categories

(Core :: Security: PSM, defect)

x86
Windows Vista
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: bugzilla, Unassigned, NeedInfo)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11

I have installed an eToken with certificate on it. Whenever I am visiting an https site for the first time after a browser restart, firefox asks me for the token password. Firefox should only asks to access that certificate if it needs it to comply with a website request of clientverify.

Reproducible: Always

Steps to Reproduce:
1.Install a secure token in Firefox
2.Put a certificate on that token
3.Visit a standard https website
Actual Results:  
Firefox will ask and keep asking for the password of the device

Expected Results:  
Firefox should leave the token alone if the website didn't set SSL client auth as optional or required.

I have a feeling that FireFox cannot know what certificates are on the token before accessing it because it doesn't use a user certificate store like microsoft. It would be acceptable to have firefox query the token when a website requires authentication and then find out that no certificate match the CA. Firefox should not query the tokens when no SSL auth are asked.
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
I remember having seen such a report in the past.

I know that something was done about that in NSS which fixed it for most tokens.

But if I remember correctly, there are tokens with a broken behavior.

I think NSS is trying to iterate through all available certificates, and some tokens require authentication before that works.

Bob?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Dug in the source code and that's exactly it. NSS iterates all the DEVICES and tries to get a certificate list for each of them. Some PKCS #11 modules will ask for PIN before giving that. Any change that we can just skip the interation all together if the remote website doesn't ask for 2 way SSL auth?
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Is this still an issue?
Flags: needinfo?(bugzilla)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.