Red Hat Bugzilla – Bug 1312461
[ESR45] OCSP verification request not triggered for a SSL client auth using the certificate.
Last modified: 2016-04-05 15:16:23 EDT
Description of problem:
Accessing a SSL client auth page using certificates on the smart card is not triggering the OCSP request.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Firefox is configured with Advanced -> Certificates -> 'Query OCSP
responder servers to confirm the current validity of certificates' selected.
2. A Smart card is enrolled with RHCS TPS subsystem, certificates on the
smart card has ocsp url of CA's ocsp.
3. Try to authenticate to a SSL client auth web page with signing certificate on the smart card.
Authentication is success. There is no ocsp request for the signing certificate in CA's debug log.
Signing certificate should be verified, ocsp request should be triggered.
It works as expected with firefox-3.6.24-3.el6_1.x86_64 and xulrunner-184.108.40.206-2.el6_1.1.x86_64. All the firefox/xulrunner versions after this does not send ocsp request to the ocsp server for certificate verification.
You say the latest working version is firefox-3.6? So I expect all recent ESR FF (17, 24, 38) are broken and no-one complains.
We don't have any customer case opened for that so this bug has no-priority and it goes wontfix. If you have a patch for it we can propagate it upstream.
Same problem persist even when the certificate is in Firefox's nss certificate database.
Does issue exist when using any certificate for client auth? Not just the signing cert? I know that the direction of one of our major consumers towards leveraging OCSP and their preference for mutually authenticated TLS with client auth would run into this particular instance, and it would be a show stopper for them.
Let me know if you want me to dig in more, but I can certainly see this as an issue. Especially as we move more CA functionality into IdM and folks implement more thoroughly.
First of all, in case it's unclear, this is a serious security issue in my opinion if no workaround found. It should not have been closed lightly.
I'm adding Bob and Elio (the NSS folks) to the cc list to see if they know anything about the issue.
Here is the ticket that I talked about in today's CS meeting, which I filed 18 months ago:
https://fedorahosted.org/pki/ticket/1178 Enrollment profiles standards/practice conformance
Looking at the included url, https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
I think it could be translated into multiple tickets, some may be as simple as editing as an enrollment profile, but some may require code changes in the CA.
I do not know at this point if any of the Firefox behavior changes listed on the url could have caused the issue reported in this bug.
I tested agent authentication to RHCS subsystems on firefox-45, ocsp request is not made during client auth.
OCSP request is made only when I import certificate in Firefox Certificate Manager.
So I'm trying to write the upstream bug, and I discussed this with Asha, but I'm not clear where things came done.
First, Firefox does not validate the client certificate, so we don't expect the client certificate to actually generate an OCSP request from firefox. If anyone checks the OCSP request, it's the server.
Firefox does check the OCSP request for the server's cert. That should still be happening (assuming the server has the OCSP extension).
This may be an issue, in which case it's not a client auth issue at all. It would be a problem with the new cert handler in firefox.
If Firefox is not presenting the client auth cert, then that could cause the server to not do the OCSP request. In that case I want to know exactly what the server configuration is that isn't sending the client auth cert when it used to.
I think the last paragraph is the actual bug that needs to be filed, but I'll need enough information to file it. Let's put it in this bug first.