Remember user's client certificate selection across sessions

NEW
Unassigned

Status

()

--
minor
8 years ago
9 months ago

People

(Reporter: t.petrzilka, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11

When page requires user certificate for https connection, the dialog for selecting right certificate comes every time after browser restart, although, option at the bottom of dialog to remember my choice was previously selected. (certificate is already successfully imported in browser)

Reproducible: Always

Steps to Reproduce:
0.Goto site configured for https connection requiring user certificate, select right certificate and mark checkbox to remember this choice in the dialog, continue.

1.Restart Firefox
2.Goto site configured for https connection requiring user certificate
Actual Results:  
The dialog for selecting certificate shows up again.


Expected Results:  
Firefox should connect to the site without any inquiries about selecting certificate.
(Reporter)

Comment 1

8 years ago
Created attachment 512876 [details]
Screenshot of dialog (czech language)
Adg asked to have this bug assigned to them.
Assignee: nobody → amandeepgautam

Comment 3

8 years ago
I was not able to reproduce the bug on Firefox/4.0b11 as told. If you check the button corresponding to the "permanently store this exception" firefox successfully remembers->options->advanced->encryption->view certificates->servers.
Assignee: amandeepgautam → nobody
Tomas, can you try to reproduce this with the latest nightly Firefox 4.0b12pre?  Thanks.
(Reporter)

Comment 5

8 years ago
I can confirm, that FF 4.0b12 (not nightly) is still behaving as described before.

Also when the dialog for choosing the certificate is canceled it won't come back after attempt for another connection to the server.

----
Firefox 4.0b12 
Mozilla/5.0 (Windows NT 6.1; rv:2.0b12) Gecko/20100101 Firefox/4.0b12
(Reporter)

Comment 6

8 years ago
(In reply to comment #3)
> I was not able to reproduce the bug on Firefox/4.0b11 as told. If you check the
> button corresponding to the "permanently store this exception" firefox
> successfully remembers->options->advanced->encryption->view
> certificates->servers.

The certificate is client-side so the exception dialog in: options->advanced->encryption->view certificates->servers
is not useful cause there is no server URL to remember the exception for.

The dialog I described is IMHO shown at very rare circumstances as for professional use mostly.. But still used.. 

It's just a glitch with lower importance..
Severity: normal → minor
Adding Paul to the cc list of this bug. Paul, is there some interaction with Session Store that could be causing this bug?

Tomas, would it be possible for you to either link or attach a test case we can use to try to reproduce this bug?
(In reply to comment #7)
> Adding Paul to the cc list of this bug. Paul, is there some interaction with
> Session Store that could be causing this bug?

Session Restore doesn't do anything with certs, so highly unlikely.

Comment 9

7 years ago
I also have this problem with an Aladdin E-Token.

Comment 10

7 years ago
I had the same 'issue' as described above, but I recognized the flag "Options->Advanced->Encryption->Certificates - When a site asks for a certificate:" (or similar, using German version). I switched from "Ask everytime" to "Select one automatically".
However, I'm not sure what this means exactlly does - in my opinion this misses a third option like "Ask only if new" or something. Maybe "Ask everytime" just ignores already stored site-cert associations?

---
Firefox 7.0.1 (German)
Win 7 x64

Comment 11

4 years ago
I have been annoyed by this problem for years, mentioned in in talks, discussed it with Anne van K in the TAG, and general taken it as indicating a lack of interest at Mozilla in client-side certs.   (Chrome does not have this problem, and so is easier to use if you use client certs a lot.)  At least from the discussion here it seems to be recognized as  bug -- but has a status of "UNCONFIRMED" surprises me.  So maybe it difficult to reproduce.  If it is supposed to work, where is the site->cert mapping stored?
For what it's worth, I can reproduce the bug. You're right that client-side certificate-related features aren't a high priority right now, since the majority of our users don't use them. It's unfortunate, but limited engineering resources mean we can't address everything we might want to.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 13

4 years ago
Sufficient support of client certificates is one of the reasons, I use FireFox.

(In reply to Tim Berners-Lee from comment #11)
> So maybe it difficult to reproduce.

To my experience reproduction of this issue requires not very typical configuration: it need user, having several the same time valid client certificates in a certification chain. That, as I know, is not typical.
In the rest cases auto-fit client certificate works rather well.

(In reply to David Keeler [:keeler] (use needinfo?) from comment #12)
> For what it's worth, I can reproduce the bug. You're right that client-side
> certificate-related features aren't a high priority right now, since the
> majority of our users don't use them. It's unfortunate, but limited
> engineering resources mean we can't address everything we might want to.

Orienting on popularity NOW you can miss future.
Support of client certificates is not widely spread (yet?), but very _important_ (!) feature.

This feature (client certificates) is lessly used, than it should, because of insufficient support in clients.
And is lessly supported because of rare use.

P.S. Not long ago I've generate a certificate set for localhost to reproduce this issue.
If Mozilla developers need, I can attach these certs to this bug and, if necessary, consult in configuration of Apache web server (although it seems to be trivial).
Duplicate of this bug: 1161931
This bug could have a more straightforward summary.
Summary: ff doesn't remember choice of certificate for https connection from previous session although "remember choice was selected" → Remember user's client certificate selection across sessions

Updated

4 years ago
Duplicate of this bug: 949443

Comment 17

3 years ago
Ref. my reply to related Thunderbird bug 803975 comment #6

In the present context, does the behaviour happen even if the preference "Ask me every time" is not selected?

In any case there is still Tim Berners-Lee's question in comment #11:
> If it is supposed to work, where is the site->cert mapping stored?

Updated

3 years ago
Duplicate of this bug: 1184411

Updated

3 years ago
Duplicate of this bug: 803975

Updated

3 years ago
Blocks: 803975

Updated

2 years ago
Duplicate of this bug: 1300289

Comment 21

9 months ago
Starting a few FF versions ago, now (v57.0.4) the "Remember this decision" doesn't work even in the same session (no restarts in between). After a while FF will ask the user to select a certificate for a site for which the user already selected it.

A related question is: what is the difference between enabling or disabling "Remember this decision" ? In a quick test it seems there is no difference. In both cases the choice is remembered (for a while).

(In reply to Tim Berners-Lee from comment #11)
> I have been annoyed by this problem for years
or for decades

> taken it as indicating a lack of interest at Mozilla in client-side certs.
Apparently. The subpar (to put it mildly) support in browsers drives both users and developers to abandon using certificates for client authentication and use other less secure alternatives.
Which the makes browser developers say: But look, nobody uses this stuff anyway...

> So maybe it difficult to reproduce.
Nope, it happens every time, reliably.
You need to log in before you can comment on or make changes to this bug.