Closed Bug 801110 Opened 12 years ago Closed 12 years ago

SSL Client Certificate Fails with Firefox on Mac OS X

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
Other
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tom.browder, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4 Steps to reproduce: With Firefox on Mac OS X I imported an SSL client certificate and then tried to access the public area of a web site with this Apache directive (in server context): SSLVerifyClient optional Actual results: I got no access and received this error: SSL peer has rejected your certificate as expired. (Error code: ssl_error_expired_cert_alert) When I view the cert on the Mac it clearly shows an expiration date approximately one year from now. Expected results: I should have been able to access both the public and private areas of the site.
Severity: normal → critical
OS: Linux → Mac OS X
Hardware: x86_64 → Other
I filed the same bug with Apple, and I reported the problem on the Open SSL and Apache users' mailing lists.
Does it work with other browsers like Safari ? Is the time on the server correct ?
Severity: critical → normal
No, on Mac OS X Safari fails with another error: The server did not accept the certificate. (NSURLErrorDomain:-1205) Note that, through Google searches, I have seen many conversations about SSL certificate problems with Mac OS X and believe their handling of the certs to be the basis of the real problem (perhaps the Keychain app). I have a group of 40 classmates testing web site access with SSL client certs I generate and only the 5 Mac OS X guys are having trouble--all other OSs and browsers work fine, and Firefox seems to be the best of the lot (other than on Mac OS X). My purpose for filing the bug is to raise awareness and hope that Firefox has good relations with Apple such that more effort can be put into solving the problem in this area which is critical from my perspective.
Sorry, the server time is correct. On Linux Firefox shows the certificate as having been issued on 9/10/12 and expiring on 9/10/13.
Firefox doesn't use the OS X Keychain. Firefox comes with it's own certificate database with it's own set of root certificates and it's own SSL libs (NSS). The Code is the same on all platforms and the behavior should be the same on all platforms (Windows, Linux, OS X, ...) The OS is only involved in special cases like NTLM Authentication on Windows. Is your certificate chained to an intermediate certificate ? Your server has to send the whole certificate chain and a missing intermediate may cause this. You would not see errors on every Firefox installation since Firefox caches already received intermediate certificates from any sites in the Firefox user profile. just a note: This bug database is a tool for our developers to manage their work and our products. We fix bugs in the Firefox code but every report about bugs in other products are invalid. You can't use "us" to report Bugs to Apple.
Re: just a note => I understand. My server certificate is from Start SSL and is recognized as okay on Linux. It is also recognized on Mac OS X when no client certificate is involved. My client certificates are self-generated. I am happy to send you the test certificate, the password, and a link to the site (both public and private) for testing.
>My server certificate is from Start SSL and is recognized as okay on Linux Just to be sure: Create a new, additional profile for testing: http://support.mozilla.org/kb/Managing%20profiles and visit your page with this profile. It should work without giving you a SSL Error. Are there no logs on the server that would explain why the server rejects the certificate ? Thanks for the offer with the test certificate but don't have an OS X system yet and I'm the wrong one to debug this further.
Component: Security → Security: PSM
Matti, I now see the problem, and it's not Firefox. I had somehow gotten the SSL client CA cert out of sync with the generated client certs. I tried on my other, real site and both Firefox and Google Chrome do work as expected. Safari and Opera still don't work, but you can consider this Firefox bug as erroneous. I apologize for the waste of your time.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Chrome on Linux is using Mozilla's NSS Libs and it should work if Firefox works. I'm a little bit surprised that it works on OS X with Chrome if Safari fails.
Well, my check was pretty quick and I'm in the process of generating a new client cert for testing, but I'm pretty sure Safari still does NOT work but Firefox and Chrome DO. I'm still getting used to operating on Mac and it's difficult for me to actually see what browser I'm using--the title bars aren't much help and the tool bars are very similar (except for Firefox). I'll report back when I can test with a new client cert on the original test site.
Okay, Matti, the original problem was caused by my SSL CLient CA certificate which had expired. I regenerated it and put it on my test site. I tested all 4 browsers again on Mac OS X with the following results: Firefox (latest): success Chrome (latest): success Safari (latest): got to the public site okay, SSL env vars passed okay, could NOT access the private area Opera (latest beta): could not import the SSL client certificate
Note the original Firefox error message was: (Error code: ssl_error_expired_cert_alert) I misread it as the client cert had expired, but it was the server cert with the signing key for the clients that had expired.
thank your for that information! I guess you have to contact the other browser vendors :-) and yes, the Gecko/Firefox error message is a little bit misleading...
Well, the bug report for Opera is unchanged, and the one for Safari is changed but slightly--I'll update it.
You need to log in before you can comment on or make changes to this bug.