Closed Bug 624075 Opened 14 years ago Closed 14 years ago

TLS client authentication fails with latest Firefox 4 nightlies (nsNSSIOLayer calling into PrefService off of the main thread)

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 624514
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: guillaume.romagny, Unassigned)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [hardblocker])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 Build Identifier: Minefield 4.0b9pre 2011-01-07 Hello, I can do X509 client certificate login with www.cacert.org (in fact secure.cacert.org) with IE 8 and Firefox 3.6 (up-to-date) on Win7_64 but recently I just can no longer do certificate login with FF 4pre9. I have a valid CAcert.org certificate and all CAcert roots certs added in the keystore. I have tried the automatic cert selection or manual selection in FF4, I have checked I have a valid certificate in the keystore, FF4 no longer proposes to select a client certificate, so the login fails with : "Secure Connection Failed An error occurred during a connection to secure.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) The page you are trying to view can not be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site." Have you reinforced SSL negociation schemas (dropped some old SSL protocols) ? Best regards, Guillaume Romagny Reproducible: Always Steps to Reproduce: 1. connect to https://secure.cacert.org/index.php?id=4 Actual Results: No way to select a client certificate then FF4 displays : Secure Connection Failed An error occurred during a connection to secure.cacert.org. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert) Expected Results: X509 Client certificate login to the website.
I have tested with all plugins disabled. I don't understand why I have "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Version: unspecified → trunk
(In reply to comment #0) > Have you reinforced SSL negociation schemas (dropped some old SSL protocols) ? Yes: bug 535649 comment 67 Time to apply http://www.debian.org/security/2011/dsa-2141 on the CAcert infrastructure.
Assignee: nobody → nobody
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Component: Build → Security: UI
OS: Windows 7 → All
Product: NSS → Core
QA Contact: build → ui
Hardware: x86 → All
Resolution: --- → INVALID
Version: trunk → Trunk
Thank you Kaspar, I will forward to CAcert sysadmin team to check.
Depends on: 585706
Guillaume, it turns out that my conclusion in comment 2 was somewhat premature. After another look at this issue, I noticed that you were testing with "Minefield 4.0b9pre 2011-01-07", which happens to be one of the (first) nightlies where bug 585706 is becoming a real issue, in particular when it comes to using client auth. Upgrading the CAcert systems won't help with this particular problem, actually (but of course it doesn't hurt to apply the patches from DSA-2141).
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INVALID → ---
No longer depends on: 585706
So, for the sake of clarity: it's separate from the issue in bug 585706 (which deals with nsNSSCertificateDB), and here's again the analysis, which I originally posted to that other bug: Note that after this commit here: http://hg.mozilla.org/mozilla-central/rev/d2856d5970b6 this is getting a real issue with PSM - it breaks TLS client auth, among other. Here's a stack showing what happens when NSS is calling PSM, to ask for a client cert: nsPrefService::CheckAndLogBackgroundThreadUse nsPrefBranch::GetCharPref nsPrefService::GetCharPref nsGetUserCertChoice nsNSS_SSLGetClientAuthData ssl3_HandleCertificateRequest [...] What happens is that pref->GetCharPref("security.default_personal_cert", &mode); in nsNSSIOLayer.cpp:nsGetUserCertChoice fails (GetCharPref returns NS_ERROR_UNEXPECTED), which means that nsNSS_SSLGetClientAuthData won't ever supply a client cert to NSS (irrespective of whether security.default_personal_cert is set to "Ask Every Time" or "Select Automatically").
Status: REOPENED → NEW
Component: Security: UI → Security: PSM
QA Contact: ui → psm
Summary: Impossible to do x509 client certificate login with recent Firefox 4 version (CAcert website) → TLS client authentication fails with latest Firefox 4 nightlies (nsNSSIOLayer calling into PrefService off of the main thread)
Hello Kaspar, the CAcert "critical system" team is usually pro-active regarding the patching of the Debian distros. I confirm FF4 does no longer request a certificate to login (whatever the option to select the cert manually or automatically)... I have tried to change the option like in bug 535649 comment 67 but *** I still fails ***. Your first review was quite logical : the initial negociation fails so no client cert requested. so thanks your for re-reading of the request. I'll forward the CAcert sysadmin Best regards, Guillaume
Hello, I also have tested with FF4 Ubuntu PPA MineField 4.0b9pre (2011-01-09) Mozilla Firefox for Ubuntu canonical - 1.0 And I have the same problem. So the problem is cross plateform. Best regards, Guillaume
Ubuntu, the following Lucid version works fine with client certificate login : version 3.6.14pre Mozilla Firefox for Ubuntu canonical - 1.0 Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.14pre) Gecko/20110107 Ubuntu/10.04 (lucid) Namoroka/3.6.14pre
blocking2.0: --- → ?
Keywords: regression
Guillaume: you don't have to test further to track down what versions are affected (I already adapted the platform fields for this entry, BTW). It's actually clear by now that this is a regression caused by changeset 60055:d2856d5970b6 (committed on 6th January 2011 00:32 UTC). You can use one of the nightlies at http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011-01-05-03-mozilla-central/, and I'd bet it will work with these versions. Also, note that nigthlies are different from beta versions - they include more recent, but somewhat less tested code (with 4.0b8 you wouldn't have run into this problem either).
Are there any suggestions how this should be fixed? Most clear should probably be to cache and observe the value in PSM component and protect it with a mutex. I can do this. Kaspar, what do you think?
Hello Kaspar, (In reply to comment #9) > Guillaume: you don't have to test further to track down what versions are > affected (I already adapted the platform fields for this entry, BTW). It's > actually clear by now that this is a regression caused by changeset ok, good & thanks... but I will keep using the nigthlies anyway. if I need to connect to CAcert, I will start FF 3.6 :) Best regards, Guillaume
Blocks: 624285
(In reply to comment #11) > Most clear should probably be to cache and observe the value in PSM component > and protect it with a mutex. I can do this. > > Kaspar, what do you think? Well, I'm probably not the best person to judge this, but it's what bz suggested for bug 585706, so it can't be that wrong, I guess :-) Another question is whether we should continue treating a failure of GetCharPref as "fatal" in nsGetUserCertChoice, or whether we should simply default to *certChoice = ASK in this case (it might hide future issues with accessing the PrefService, yes, but at least it would allow the user to select a cert and continue, anyway).
Depends on: 624490
Depends on: 624514
Blocks: 466080
No longer blocks: 466080
The real fix for this bug will happen for bug 624514 but we already backed out the patch that caused this regression. Resolving as a dupe of 624514.
Status: NEW → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [hardblocker]
Status: RESOLVED → VERIFIED
(In reply to comment #14) > The real fix for this bug will happen for bug 624514 but we already backed out > the patch that caused this regression. Resolving as a dupe of 624514. > > *** This bug has been marked as a duplicate of bug 624514 *** Minefield version 4.0b10pre 2011-01-13 the client certificate login seems to work. thanks.
(In reply to comment #16) > (In reply to comment #14) > > The real fix for this bug will happen for bug 624514 but we already backed out > > the patch that caused this regression. Resolving as a dupe of 624514. > > > > *** This bug has been marked as a duplicate of bug 624514 *** > > Minefield version 4.0b10pre 2011-01-13 the client certificate login seems to > work. thanks. side note : at the same time, I was no longer able to backup a personal certificate (pkcs12 format with private key) from the keystore, FF4 requested a filename for backup, then just stopped without requesting for a password to cipher the private key of the pkcs12 file. This problems seems to have dissapeared at the same time. I won't open a new bug request. Best regards, Guillaume
blocking2.0: ? → betaN+
You need to log in before you can comment on or make changes to this bug.