| Summary: | [ESR45] OCSP verification request not triggered for a SSL client auth using the certificate. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Asha Akkiangady <aakkiang> |
| Component: | firefox | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED WONTFIX | QA Contact: | Desktop QE <desktop-qa-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | CC: | cfu, dsirrine, emaldona, rrelyea, stransky |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-15 09:05:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Asha Akkiangady
2016-02-26 18:24:57 UTC
You say the latest working version is firefox-3.6? So I expect all recent ESR FF (17, 24, 38) are broken and no-one complains. We don't have any customer case opened for that so this bug has no-priority and it goes wontfix. If you have a patch for it we can propagate it upstream. Same problem persist even when the certificate is in Firefox's nss certificate database. Asha, Does issue exist when using any certificate for client auth? Not just the signing cert? I know that the direction of one of our major consumers towards leveraging OCSP and their preference for mutually authenticated TLS with client auth would run into this particular instance, and it would be a show stopper for them. Let me know if you want me to dig in more, but I can certainly see this as an issue. Especially as we move more CA functionality into IdM and folks implement more thoroughly. -- David First of all, in case it's unclear, this is a serious security issue in my opinion if no workaround found. It should not have been closed lightly. I'm adding Bob and Elio (the NSS folks) to the cc list to see if they know anything about the issue. Here is the ticket that I talked about in today's CS meeting, which I filed 18 months ago: https://fedorahosted.org/pki/ticket/1178 Enrollment profiles standards/practice conformance Looking at the included url, https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes I think it could be translated into multiple tickets, some may be as simple as editing as an enrollment profile, but some may require code changes in the CA. I do not know at this point if any of the Firefox behavior changes listed on the url could have caused the issue reported in this bug. I tested agent authentication to RHCS subsystems on firefox-45, ocsp request is not made during client auth. OCSP request is made only when I import certificate in Firefox Certificate Manager. So I'm trying to write the upstream bug, and I discussed this with Asha, but I'm not clear where things came done. First, Firefox does not validate the client certificate, so we don't expect the client certificate to actually generate an OCSP request from firefox. If anyone checks the OCSP request, it's the server. Firefox does check the OCSP request for the server's cert. That should still be happening (assuming the server has the OCSP extension). This may be an issue, in which case it's not a client auth issue at all. It would be a problem with the new cert handler in firefox. If Firefox is not presenting the client auth cert, then that could cause the server to not do the OCSP request. In that case I want to know exactly what the server configuration is that isn't sending the client auth cert when it used to. I think the last paragraph is the actual bug that needs to be filed, but I'll need enough information to file it. Let's put it in this bug first. bob |