Last Comment Bug 593066 - Firefox does not respond to servers rejecting client side certificates
: Firefox does not respond to servers rejecting client side certificates
Status: NEW
[psm-auth][psm-tcpip][psm-clientauth]
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: x86 Mac OS X
: P3 major with 2 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
http://localhost:8443
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-02 10:21 PDT by Henry Story
Modified: 2016-08-30 15:29 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Henry Story 2010-09-02 10:21:43 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

If the server rejects a client side certificate (past due date) Firefox reconnects with exactly the same certificate. This means that the server cannot get the user to change certificate if the user mistakenly chooses the wrong one.

Reproducible: Always

Steps to Reproduce:
1. download the mini test server that is open source at http://github.com/bblfish/TLS_test
 $  git clone http://github.com/bblfish/TLS_test.git

2. run it as explained in the README - it downloads apache jetty from maven central

3. Connect to http://localhost:8443/ 

4. You can select some of the exceptions made available by the Java VM, such as certificate being out of date, etc... And don't forget to reset the session by clicking the "reset ssl session" button.

5. click the "Set" button (could put a better name)

6. you will arrive on a page that shows that the session has been cleared, and that the exception will be thrown on the next connection.

7. click the next page button

5. When that is done
Actual Results:  
A1. The web browser shows a "Secure Connection Failed" page with a button "Try Again"
A2. If you click the Try Again button, the exact same certificate used previously is sent again.

Expected Results:  
Instead of A1. Firefox should immediately ask the user for a certificate selection box where he should be able to choose which certificate to use (he should be able to select the same one of course - so that we can do testing like this, though perhaps it should be moved to the back of the selection list)


The exceptions thrown by the JVM should produce error messages specified by the TLS rfc

http://tools.ietf.org/html/rfc4346#section-7.2

The codes are described in a little more detail here

http://tools.ietf.org/html/rfc4346#section-7.2.2

  bad_certificate
     A certificate was corrupt, contained signatures that did not
     verify correctly, etc.

  unsupported_certificate
     A certificate was of an unsupported type.

  certificate_revoked
     A certificate was revoked by its signer.

 certificate_expired
     A certificate has expired or is not currently valid.

  certificate_unknown
     Some other (unspecified) issue arose in processing the
     certificate, rendering it unacceptable.
Comment 1 Henry Story 2010-09-02 10:49:16 PDT
of course that should be https://localhost:8443/ above, and jetty is not an apache project. Sorry for the typos.
Comment 2 David Chadwick 2010-09-03 04:45:25 PDT
This is a serious error in my opinion, since it seriously inhibits the use of mutual authentication using client side certificates

Note You need to log in before you can comment on or make changes to this bug.