Closed Bug 963354 Opened 10 years ago Closed 4 years ago

add support for using client certificates that come from the OS X keychain

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1586915

People

(Reporter: noloader, Unassigned)

References

(Blocks 3 open bugs)

Details

(Whiteboard: [psm-backlog]) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

Import a certificate and private key into OS X's Keychain. In my case, I have a Startcom (https://www.startcom.org/) user certificate and private key already installed. The user certificate and private key were installed 6 months or 1 year prior to installing Firefox.

Ensure Firefox has access to the certificate and private key. To do so, select "Keychain Access", select the Certificate and then "Get Info". Then, on the Access tab, ensure the Firefox binary is listed.

I visited a secure area (https://www.startssl.com/?app=12), and clicked on the upper left button "Authenticate".

**********



Actual results:

Firefox could not establish a  secure channel. The reasons given were:

----------
Secure Connection Failed

An error occurred during a connection to auth.startssl.com. SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)
----------

A Wireshark trace shows Firefox never sends the certificate for the site. Firefox sends the Certificate message as expected after the server sends the Server Done message, but the client's Certificate message has 0 certificates.

A screen capture of the relevant Wireshark frame is available on SuperUser.com (see below under "Additional Information").

**********



Expected results:


Firefox should have sent the certificate for the site.

**********

Additional Information:

Additional info: screen captures of the issue can be found at: https://superuser.com/questions/706040/firefox-secure-connection-failed-and-client-certificate.

In the past, this worked fine with Safari. Unfortunately, Safari is broken for me at the moment.

I was able to verify the certificate and private key with both Peter Guttman's `dumpasn1` and OpenSSL's `x509` utility. I'm fairly certain the certificate and private key are well formed.

I searched Preferences -> Security and Preferences -> Advanced, and I could not find anywhere to enable/disable Keychain access. So I don't believe I've inadvertently disabled something. (But it could well be a case of me being too dumb to operate Firefox properly).

Mac OS X 10.8.5 (x64). Fully updated.

$ uname -a
Darwin riemann.home.pvt 12.5.0 Darwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 x86_64

Firefox 26.0. Fully updated.

**********

Possible Related Bugs:

"SSL client certificate not sent", https://bugzilla.mozilla.org/show_bug.cgi?id=891550. In the 550 bug, I don't use the programs discussed, such as ChatZilla. So I can't determine anything from the report.

"SSL Client Certificate Fails with Firefox on Mac OS X", https://bugzilla.mozilla.org/show_bug.cgi?id=801110. The 110 bug may be related since they both talk of a Start SSL certificate. But I'm getting a different error code and message.

"Nightly wants to use your confidential information stored in "lpsafari" in your keychain", https://bugzilla.mozilla.org/show_bug.cgi?id=753331. I can't tell what to make of the 331 bug. I don't use LastPass, so its probably a moot point.
Hardware: x86 → x86_64
Yes, we don't support doing this yet. I would like to though.
Severity: normal → enhancement
Component: Untriaged → Security: PSM
Product: Firefox → Core
Whiteboard: [DUPEME]
Blocks: 308863
Blocks: 279913
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Cannot use Client Certificate stored in Mac OS X Keychain (or cannot figure out how to do it) → add support for using client certificates that come from the OS X keychain
Whiteboard: [DUPEME] → [psm-backlog]
Version: 26 Branch → unspecified

This is a requirement for using Firefox on Google corporate macs. In addition, there's a flag set on the certificate in the keychain to prevent exporting the private key. I suspect that wouldn't be particularly easy to work around.

Sorry, I am not sure if we have some process for tracking enterprise bugs, but this seems important for people using Firefox for work on macOS.

Flags: needinfo?(mozilla)

Yes, it's supposedly being worked on by the team.

Blocks: fx-enterprise
Flags: needinfo?(mozilla)

If this feature is going to be introduced, what's the future of working with smart card through PKCS#11 interface?

We could not use Firefox inside our organization effectively because of this issue. Support to this is much required. Kindly expedite if possible.
Priority need to be raised.

(In reply to karthi6624 from comment #11)

We could not use Firefox inside our organization effectively because of this issue. Support to this is much required. Kindly expedite if possible.
Priority need to be raised.

Have a look at https://github.com/mozkeeler/osclientcerts. I believe this code will eventually be incorporated into Firefox.

Flags: needinfo?(dkeeler)

This will be available in Firefox 75 - flip the pref security.osclientcerts.autoload.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.