Open Bug 431959 Opened 12 years ago Updated 9 years ago

after removing token, all connections get SSL_ERROR_TOKEN_INSERTION_REMOVAL

Categories

(NSS :: Libraries, defect)

3.11.5
PowerPC
macOS
defect
Not set

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: nelson, Unassigned)

Details

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14) Gecko/ 
20080404 Firefox/2.0.0.14

A sun colleague uses a Mac OSX system to connect to an https server that 
requests or requires client authentication.  He has a smart-card that he 
uses with his Mac.  He reports that, before inserting his smart card, 
connection attempts ask him to authenticate.  After inserting his smart 
card and authenticating, things work OK.  But after removing his smart 
card, all further attempts to connect to that same server result in error
-12205, which is SSL_ERROR_TOKEN_INSERTION_REMOVAL.  

I would expect that this error would occur ONCE after removing the smart
card, and then thereafter the browser behavior would go back to behaving
as it did before the smart card was first inserted.
I received some more correspondence regarding this issue.  Quoted below.

> Scenario :
> 
> I connect to the HTTPS URL
> FF asks me the PIN code for the smart card and let me select a  
> certificate
> authentication is OK, I can see the app web page
> I remove the card
> I hit CTRL-R (page reload) - I got the FF error message (first time)
> I hit CTRL-R (page reload) - I got the FF error message (second time)
> I hit CTRL-R (page reload) - I got the FF certificate selection screen  
> - I choose a certificate from my local software store
> no error message, the web page is still here
> I hit CTRL-R (page reload) - no error message, the web page is still here
> I can still navigate to other pages in the web app too
> 
> I waited 10+ minutes ... same result !
> This means that when the card is removed, and as long as FF is open,  
> we can access the protected web site.
> This is a major show stopper 

I asked him what happens when the card is reinserted.

> I connect to the HTTPS URL
> FF asks me the PIN code for the smart card and let me select a certificate
> authentication is OK, I can see the app web page
> I remove the card
> I hit CTRL-R (page reload) - I got the FF error message (first time)
> I reinsert the card
> I hit CTRL-R (page reload) - I got the FF error message (second time) **
> I hit CTRL-R (page reload)
> FF asks me the card PIN code + to choose a certificate
> Authentication succeed
> 
> Beside the step marked with **, this is the expected behavior
> Not a big deal.

So, I think there are two issues here:
1) why does the SSL_ERROR_TOKEN_INSERTION_REMOVAL happen twice in a row?
   (why not once, or why not many times?)
2) why does the SSL session APPEAR to resume working normally after two 
   reports of SSL_ERROR_TOKEN_INSERTION_REMOVAL?  This could be a server 
   issue rather than a browser issue.  
I am Nelson's colleague ;-)
Further information :
Server side is a regular Glassfish v2UR2 with OpenSSO v1 build 3
SSL authentication is verified at the glassfish level (which manage the SSL session) and at OpenSSO level
You need to log in before you can comment on or make changes to this bug.