Bug 1234693

Summary: Client Certificate Authentication in Firefox Broken.
Product: Red Hat Enterprise Linux 7 Reporter: Heather C <heather-choi>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED WORKSFORME QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: kengert
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-26 16:01:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Heather C 2015-06-23 05:04:47 UTC 
Description of problem:
Unable to leverage Client Certificate Authentication in Firefox against website negotiating at TLS 1.2.

Version-Release number of selected component (if applicable):
firefox-38.0-3

How reproducible:


Steps to Reproduce:
1.  Import certificate.
2.  Access website with TLS 1.2 enabled.  Connection fails.
3. Modify security.tls.version.max to 2 in about:config (max TLS 1.1)
4. Successful connection.

Actual results:
TLS 1.1 is successful, TLS 1.2 fails.

Expected results:

Client certificate authentication should work with both TLS versions.
Additional info:
Comment 2 Heather C 2015-06-23 05:10:24 UTC 
Forgot to mention, website is enabled as client certificate required.
Comment 3 Martin Stransky 2015-06-23 09:25:43 UTC 
Kai, can you elaborate here please? Thanks!
Comment 4 Kai Engert (:kaie) (inactive account) 2015-06-23 16:23:41 UTC 
I need more details.

What's the error message that firefox displays (technical details)?

Did it ever work with Firefox?
What's the last version of Firefox that previously worked for you?

If you were successful with an earlier version of Firefox, did that earlier version of Firefox work with TLS 1.2 enabled?

Ideally I'd need a trace of a failing connection to the server.

On the machine where you run firefox, you could run a local transparent proxy that can be used to produce a trace:

ssltap -s -l -p 1924 server-hostname:443 2>&1 | tee /tmp/ssltap.log

(replace server-hostname with the hostname that you see in the URL/location bar at the time firefox shows a failure message, excluding the http:// and /path parts. E.g., if the url bar shows https://somehost.somedomain.com/some/path then use somehost.somedomain.com )

While the ssltap utility is running, to produce the trace, enter the following address in firefox:
  https://127.0.0.1:1924

Firefox complains that the hostname will mismatch. Add a temporary override in Firefox to proceed anyway. Now you should see that trace information is printed on the console that runs the ssltap utility. The same information is also saved to file /tmp/ssltap.log

Please attach file ssltap.log to this bug, and please also answer my questions above. Thanks
Comment 5 Heather C 2015-06-25 05:03:36 UTC 
Ok more details:


1. Remove all Firefox Security Devices except "Builtin Roots Module" and "NSS Internal PKCS #11 Module"
2. Import known working certificate into "Your Certificates".  This certificate is RSA 2048-bit SHA-2 256-bit.
3. Confirmed this is the only certificate in "Your Certificates"
4. Import all unique CAs (particularly those that may have issued or was in the chain for the certificate imported in step 2).
5. Confirm Firefox is negotiating at TLS 1.2 by resetting "security.tls.version.max" (3).
6. Access known website requiring client certificate authentication, with TLS 1.2 enabled (minimum TLS 1.0 allowed).

7. Certificate selection Window pops-up, select certificate imported in step 2.

Following error appears.

Secure Connection Failed
The connection to the server was reset while the page was loading.
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

8. Confirm, initial encrypted handshake is established.
   Lock icon appears next to https in address bar with the following:
      Website Identity
         Website: FQDN.
         Owner (none at class 1 StartCom certs)
         Verified by:   StartCom Ltd.

      Technical details
         Connection Encrypted (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.2)

9. modify security.tls.version.max to '2' and completely exit Firefox.
10. Relaunch firefox and Attempt steps 6 through 8 again
Successful access to the website, albeit at TLS 1.1 (or below).
      Technical details
         Connection Encrypted (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.1)
Assumptions:
Website's certificate's CN matches the FQDN, and site attempted is https://FQDN
Server Certificate is issued to known and trusted third party (in my case Startcom Class 1 intermediary), as SHA-2 256-bit 2048-bit.
Comment 6 Heather C 2015-06-25 05:12:52 UTC 
Also, the same website works on Windows 7 using latest version of IE11 and Chrome 42 (I think?)  as of 06-20-2015.  In fact with the same exact client certificate on a physical smart card even and both negotiate at TLS 1.2.  Not USB based, card based (but I have those as well).  Can't remember what the standard is (IEC 7816), but it looks like a credit card and using a Identiv SCR3311 USB card reader.

Chrome uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  IE11 gets TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Also the card's PKCS#11 middleware on RHEL 7.1 recreates the exact same scenario assuming the imported certificate in step 2 is deleted, and the PKCS#11 is added back from being removed from step 1.  I did this as a sanity check to take the PKCS#11 middleware out of the potential cause.
Comment 7 Heather C 2015-06-25 22:16:48 UTC 
Kai, is a packet trace still required?  If PFS is enabled, is a wireshark trace no good?  I can send you one perhaps by email, but I'd rather not post it on the bugzilla page directly for privacy reasons.
Comment 8 Heather C 2015-06-27 07:00:34 UTC 
So good news!
Whatever is in this update appears to have to fixed it:
https://rhn.redhat.com/errata/RHSA-2015-1185.html
Comment 9 Heather C 2015-06-27 07:04:33 UTC 
---> Package nss.x86_64 0:3.18.0-2.2.el7_1 will be updated
---> Package nss.x86_64 0:3.19.1-3.el7_1 will be an update
---> Package nss-sysinit.x86_64 0:3.18.0-2.2.el7_1 will be updated
---> Package nss-sysinit.x86_64 0:3.19.1-3.el7_1 will be an update
---> Package nss-tools.x86_64 0:3.18.0-2.2.el7_1 will be updated
---> Package nss-tools.x86_64 0:3.19.1-3.el7_1 will be an update
---> Package nss-util.x86_64 0:3.18.0-1.el7_1 will be updated
---> Package nss-util.x86_64 0:3.19.1-1.el7_1 will be an update
Comment 10 Heather C 2015-06-27 10:31:35 UTC 
Another note, a certificate stored on a PKCS#11 device, and the same certificate loaded on that device, along with the PKCS #11 .so security device loaded: Prior to the nss updates this also failed.

However with the updates, that too is now working.
Comment 11 Heather C 2015-06-27 10:37:19 UTC 
Finally, Firefox ESR 38 on Windows is also behaving similar as was with RHEL 7.1 Firefox ESR 38 without RHSA-2015-1185.
Cross posting for reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=1177987
Comment 12 Martin Stransky 2016-02-26 16:01:00 UTC 
Great, seems to be fixed now.