SSL client certificate not sent




5 years ago
10 months ago


(Reporter: Will Pittenger, Unassigned)


22 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)




5 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

Freenode has a system they call CertFP that attempts to authenticate you to services with your client certificate.  I have ChatZilla set to use a certificate I created with OpenSSL.  I then told Freenode's NickServ about the certificate.  (They want the fingerprint.)  I'm told that the fingerprint should show up when I /whois myself.  It doesn't.  So the Freenode people tell me that the the certificate isn't being sent.

I normally connect to IRC from my desktop with ChatZilla running under XUL Runner.  The version of XR included with the latest CZ XR builds appears to be 18.  (An ESR release?)  So I updated CZ to XR 22.  That didn't help the problem listed above.  I also tried it with CZ inside Firefox (which I normally don't use).  Same problem.

As I see it, any Mozilla Toolkit application would be affected.  Everything from Firefox to Thunderbird to Instantbird (if it is still out there).

Actual results:

1. Connect to Freenode using SASL, SSL, and a client certificate using a IRC client that supports all the above using the Mozilla Toolkit.

2. Do a /whois on yourself.

3. It doesn't include your certificate's fingerprint.

Expected results:

1. Connect to Freenode using SASL, SSL, and a client certificate using a IRC client that supports all the above using the Mozilla Toolkit.

2. Do a /whois on yourself.

3. The /whois output should include your certificate's fingerprint.
There is a pref somewhere in about:config about what to do when a client cert is asked for. The name escapes me at the moment. I'm not sure if it is an integer or boolean pref: meanings include "ask me", "send what seems best" and maybe (or maybe not) also "don't send". I'll try to find back the name of that pref but I can't say when.

SeaMonkey has a UI for it under "Edit → Preferences → Privacy & Security → Certificates → Client Certificate Selection" with radio buttons "Select Automatically" and "Ask Every Time". I don't know if a similar UI exists in Firefox, and I suppose that in XR there is no UI at all for it beyond about:config.

Current cZ version (as shown at top of the *client* tab) is The /client command makes that tab current (and opens it if necessary).

Comment 2

2 years ago
Will, did Tony's information solve your issue?
Flags: needinfo?(will.pittenger1+mozbugzilla)

Comment 3

2 years ago
Well, he didn't tell me what the pref is.  Also, I don't run cZ inside a browser.  So there probably won't be any UI.  As for Freenode, I turned off the CertFP option.  However, cZ does commonly ask for permission to use the certificate--even though I deleted the certificate's file and told cZ not to ask again.  There are times that the dialog asking for permission to use the certificate is behind other windows and I miss it.  I then think cZ is acting up and restart it.
Flags: needinfo?(will.pittenger1+mozbugzilla)

Comment 4

10 months ago
I just ran into this with Firefox 52.0.1 on MacOS Sierra. Oddly, I can load the site with my client certificate, but using `fetch` to the same host doesn't work.

Comment 5

10 months ago
I just tried with an XMLHttpRequest and it worked. Not sure if this is the same issue anymore. I can open a separate bug report if anyone's interested.
You need to log in before you can comment on or make changes to this bug.