RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1312461 - [ESR45] OCSP verification request not triggered for a SSL client auth using the certificate.
Summary: [ESR45] OCSP verification request not triggered for a SSL client auth using t...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: firefox
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Stransky
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-26 18:24 UTC by Asha Akkiangady
Modified: 2016-04-05 19:16 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-15 09:05:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Asha Akkiangady 2016-02-26 18:24:57 UTC 
Description of problem:
Accessing a SSL client auth page using certificates on the smart card is not triggering the OCSP request.

Version-Release number of selected component (if applicable):
firefox-45.0-0.11.el6_7.x86_64

How reproducible:


Steps to Reproduce:
1. Firefox is configured with Advanced -> Certificates -> 'Query OCSP
responder servers to confirm the current validity of certificates' selected.
2. A Smart card is enrolled with RHCS TPS subsystem, certificates on the
smart card has ocsp url of CA's ocsp.
3.  Try to authenticate to a SSL client auth web page with signing certificate on the smart card.

Actual results:
Authentication is success. There is no ocsp request for the signing certificate in CA's debug log.

Expected results:
Signing certificate should be verified, ocsp request should be triggered.

Additional info:
It works as expected with firefox-3.6.24-3.el6_1.x86_64 and xulrunner-1.9.2.24-2.el6_1.1.x86_64. All the firefox/xulrunner versions after this does not send ocsp request to the ocsp server for certificate verification.
Comment 3 Martin Stransky 2016-03-15 09:05:59 UTC 
You say the latest working version is firefox-3.6? So I expect all recent ESR FF (17, 24, 38) are broken and no-one complains. 

We don't have any customer case opened for that so this bug has no-priority and it goes wontfix. If you have a patch for it we can propagate it upstream.
Comment 4 Asha Akkiangady 2016-03-15 18:17:27 UTC 
Same problem persist even when the certificate is in Firefox's nss certificate database.
Comment 5 David Sirrine 2016-03-21 19:10:18 UTC 
Asha,

Does issue exist when using any certificate for client auth? Not just the signing cert? I know that the direction of one of our major consumers towards leveraging OCSP and their preference for mutually authenticated TLS with client auth would run into this particular instance, and it would be a show stopper for them. 

Let me know if you want me to dig in more, but I can certainly see this as an issue. Especially as we move more CA functionality into IdM and folks implement more thoroughly. 

-- David
Comment 6 Christina Fu 2016-03-21 22:48:43 UTC 
First of all, in case it's unclear, this is a serious security issue in my opinion if no workaround found.  It should not have been closed lightly.

I'm adding Bob and Elio (the NSS folks) to the cc list to see if they know anything about the issue.

Here is the ticket that I talked about in today's CS meeting, which I filed 18 months ago:
https://fedorahosted.org/pki/ticket/1178 Enrollment profiles standards/practice conformance
Looking at the included url, https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
I think it could be translated into multiple tickets, some may be as simple as editing as an enrollment profile, but some may require code changes in the CA.

I do not know at this point if any of the Firefox behavior changes listed on the url could have caused the issue reported in this bug.
Comment 7 Asha Akkiangady 2016-03-22 12:01:38 UTC 
I tested agent authentication to RHCS subsystems on firefox-45, ocsp request is not made during client auth. 
OCSP request is made only when I import certificate in Firefox Certificate Manager.
Comment 8 Bob Relyea 2016-04-05 19:16:23 UTC 
So I'm trying to write the upstream bug, and I discussed this with Asha, but I'm not clear where things came done.

First, Firefox does not validate the client certificate, so we don't expect the client certificate to actually generate an OCSP request from firefox. If anyone checks the OCSP request, it's the server.

Firefox does check the OCSP request for the server's cert. That should still be happening (assuming the server has the OCSP extension).

This may be an issue, in which case it's not a client auth issue at all. It would be a problem with the new cert handler in firefox.

If Firefox is not presenting the client auth cert, then that could cause the server to not do the OCSP request. In that case I want to know exactly what the server configuration is that isn't sending the client auth cert when it used to.

I think the last paragraph is the actual bug that needs to be filed, but I'll need enough information to file it. Let's put it in this bug first.

bob
Note You need to log in before you can comment on or make changes to this bug.