Open Bug 512437 Opened 15 years ago Updated 2 years ago

provide better error message when client cert authentication fails

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows Vista
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: hauser, Unassigned)

References

Details

(Whiteboard: [psm-auth][psm-backlog]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

When authenticating to a https site where the browser has no certificate-issuin-CAs in common with the server's tomcat5.5, the browser shows
<<Secure Connection Failed

An error occurred during a connection to 192.168.1.185:8443.

SSL peer cannot verify your certificate.

(Error code: ssl_error_bad_cert_alert)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.>>

To be useful, the message should list
1) the permitted CA list the server sent
2) the issuing CAs of the client-certs installed in the browser per leaf-cert DN

Reproducible: Always

Steps to Reproduce:
do not have a certificate in your browser, login on a site that requires certificates
Assignee: nobody → kaie
Component: Security → Security: UI
Product: Firefox → Core
QA Contact: firefox → ui
Version: unspecified → Trunk
Usually that happens also when there is NO client certificate matching or even installed into the browser. "SSL peer cannot verify your certificate" is highly misleading.

Initially I thought this is a dup, but couldn't find one.
The Tunderbird/Seamonkey error messages often are not very helpful or do not occur.

For example in comparison with the Mail-Client Becky:


Example 1:

Error: GMX-POP-Server could not be used because registration was not fully finisched

Becky said: -ERR may not use our POP

TB/SM said: Nothing. They just acted if there was no new mail in the inbox.



Example 2:

Error: Wrong settings with SSL or Authentification on an Yahoo POP or SMTP-Server

Becky said: "A communication problem occured on sending mail. The server or the network may be having a trouble."

TB/SM: They tried for half a minute and then noticed some server timeout.



I also noticed with other settings (especially wrong ports or SSL settings) that Becky showed up the correct error quite soon wile TB/SM tried around and then just mentiond a timeout or sudden loss of connection.

This affected the Thunderbird 2.0.0.23 as well as Seamonkey 2.0.
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Whiteboard: [psm-clientauth]
Whiteboard: [psm-clientauth] → [psm-auth]
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-auth] → [psm-auth][psm-backlog]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.