Closed Bug 416809 Opened 15 years ago Closed 14 years ago
Create 3rd option for Client Certificate Selection: User Defined Default Selection
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:220.127.116.11) Gecko/20071108 SeaMonkey/1.1.6 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:18.104.22.168) Gecko/20071108 SeaMonkey/1.1.6 For different roles I may assume defining the access rights to different web pages I have different cryptographic key/certificate pairs. When accessing multiple such pages requiring the same certificate which isn't the choice mozilla makes according to its own algorithm, the choice of "Ask Every Time" results in a tedious re-choosing the same certificate which may even happen a multiple times per page. The possibility to (re-)define permanently or for a session the key and certificate that mozilla will take automatically for each request from the server will enhance the usability very much. This is similar to the already existing facility to define different certificate/key pairs for different mail accounts in Thunderbird/Seamonkey. Therefore my request for enhancement: Add a third option to the Client Certificate Selection: Select a Certificate to be Used Automatically. My use of multiple key pairs is different from the case already mentioned in another bug report where multiple people use the same mozilla profile resulting in a security-wise undesirable sharing of the password for the Software Security Device. The fact that the latter scenario would also profit from the requested feature shouldn't be a deterrent. Reproducible: Always Steps to Reproduce: 1. 2. 3.
I forgot to mention that the certificates belonging to different key pairs have, of course, differing Subject Distinguished Names.
A server that requests client authentication multiple times per page, or even for every page, is a server that has a broken, nonfunctional, or incorrectly configured SSL session cache. This is a server defect. SSL was designed to facilitate repeated connections between the same client and server without necessitating a "full" handshake that exchanges certificates and signatures every time. Mozilla browsers contain full support for this feature of SSL, but apparently many servers (especially free open source servers) do not. Browser users seem to assume that, since the browser is presenting them with the requests for cert selection, the browser must be at fault, and a change to the browser is suggested. It would really be best for all concerned for the users of these deficient servers to lean on the server makers, and get them to make these SSL server session caches work as intended in the SSL/TLS RFC.
I will add that some server admins intentionally configured their servers to disable the session cache, because they want the browser user to be able to choose a potentially different cert for every page. They understand that when the client and server both implement the session cache, after the first connection between a client and server, the server will not ask the client to reauthenticate again for some period of time, and the user will not have an opportunity to change his mind about the cert with which he will be identified until the server asks again. They are trying to solve the "problem" of browser users not having the ability to choose a different cert whenever he pleases. However, there is a much better solution to that problem than to disable the server's session cache. The SSL client can always, and at any time, choose to "forget" the information about its session with any remote server (or all remote servers). Doing so will force a reauthentication on the next connection to the affected server(s). The questions for the browser are: - Is there a way (some UI, such as a menu item or dialog button) for the browser user to cause his session information for one (or all) server(s) to be forgotten? - If so, what is it? In WinXP, MS IE has a button labeled "Clear SSL State" in the Content tab of the Internet Options dialog (Tools->Internet Options). That button has the effect of forgetting the session information for all SSL sessions with all servers. I expect that the Firefox UI gurus could design a better solution, including the ability to delete just a single server's session information, if they really want to.
I've been told that in FF3, Tools->"Clear Private Data" brings up a dialog in which you can clear the client's ssl session cache.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 395399
You need to log in before you can comment on or make changes to this bug.