Firefox does not respond to servers rejecting client side certificates




Security: PSM
7 years ago
a year ago


(Reporter: Henry Story, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [psm-auth][psm-tcpip][psm-clientauth], URL)



7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20100722 Firefox/3.6.8

If the server rejects a client side certificate (past due date) Firefox reconnects with exactly the same certificate. This means that the server cannot get the user to change certificate if the user mistakenly chooses the wrong one.

Reproducible: Always

Steps to Reproduce:
1. download the mini test server that is open source at
 $  git clone

2. run it as explained in the README - it downloads apache jetty from maven central

3. Connect to http://localhost:8443/ 

4. You can select some of the exceptions made available by the Java VM, such as certificate being out of date, etc... And don't forget to reset the session by clicking the "reset ssl session" button.

5. click the "Set" button (could put a better name)

6. you will arrive on a page that shows that the session has been cleared, and that the exception will be thrown on the next connection.

7. click the next page button

5. When that is done
Actual Results:  
A1. The web browser shows a "Secure Connection Failed" page with a button "Try Again"
A2. If you click the Try Again button, the exact same certificate used previously is sent again.

Expected Results:  
Instead of A1. Firefox should immediately ask the user for a certificate selection box where he should be able to choose which certificate to use (he should be able to select the same one of course - so that we can do testing like this, though perhaps it should be moved to the back of the selection list)

The exceptions thrown by the JVM should produce error messages specified by the TLS rfc

The codes are described in a little more detail here

     A certificate was corrupt, contained signatures that did not
     verify correctly, etc.

     A certificate was of an unsupported type.

     A certificate was revoked by its signer.

     A certificate has expired or is not currently valid.

     Some other (unspecified) issue arose in processing the
     certificate, rendering it unacceptable.

Comment 1

7 years ago
of course that should be https://localhost:8443/ above, and jetty is not an apache project. Sorry for the typos.

Comment 2

7 years ago
This is a serious error in my opinion, since it seriously inhibits the use of mutual authentication using client side certificates


7 years ago
Ever confirmed: true
Whiteboard: [psm-clientauth][psm-tcpip]


7 years ago
Whiteboard: [psm-clientauth][psm-tcpip] → [psm-auth][psm-tcpip]
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-auth][psm-tcpip] → [psm-auth][psm-tcpip][psm-clientauth]
You need to log in before you can comment on or make changes to this bug.