Bug 1312461 - [ESR45] OCSP verification request not triggered for a SSL client auth using the certificate.
[ESR45] OCSP verification request not triggered for a SSL client auth using t...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: firefox (Show other bugs)
6.7
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Stransky
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-26 13:24 EST by Asha Akkiangady
Modified: 2016-04-05 15:16 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-15 05:05:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Asha Akkiangady 2016-02-26 13:24:57 EST
Description of problem:
Accessing a SSL client auth page using certificates on the smart card is not triggering the OCSP request.

Version-Release number of selected component (if applicable):
firefox-45.0-0.11.el6_7.x86_64

How reproducible:


Steps to Reproduce:
1. Firefox is configured with Advanced -> Certificates -> 'Query OCSP
responder servers to confirm the current validity of certificates' selected.
2. A Smart card is enrolled with RHCS TPS subsystem, certificates on the
smart card has ocsp url of CA's ocsp.
3.  Try to authenticate to a SSL client auth web page with signing certificate on the smart card.

Actual results:
Authentication is success. There is no ocsp request for the signing certificate in CA's debug log.

Expected results:
Signing certificate should be verified, ocsp request should be triggered.

Additional info:
It works as expected with firefox-3.6.24-3.el6_1.x86_64 and xulrunner-1.9.2.24-2.el6_1.1.x86_64. All the firefox/xulrunner versions after this does not send ocsp request to the ocsp server for certificate verification.
Comment 3 Martin Stransky 2016-03-15 05:05:59 EDT
You say the latest working version is firefox-3.6? So I expect all recent ESR FF (17, 24, 38) are broken and no-one complains. 

We don't have any customer case opened for that so this bug has no-priority and it goes wontfix. If you have a patch for it we can propagate it upstream.
Comment 4 Asha Akkiangady 2016-03-15 14:17:27 EDT
Same problem persist even when the certificate is in Firefox's nss certificate database.
Comment 5 David Sirrine 2016-03-21 15:10:18 EDT
Asha,

Does issue exist when using any certificate for client auth? Not just the signing cert? I know that the direction of one of our major consumers towards leveraging OCSP and their preference for mutually authenticated TLS with client auth would run into this particular instance, and it would be a show stopper for them. 

Let me know if you want me to dig in more, but I can certainly see this as an issue. Especially as we move more CA functionality into IdM and folks implement more thoroughly. 

-- David
Comment 6 Christina Fu 2016-03-21 18:48:43 EDT
First of all, in case it's unclear, this is a serious security issue in my opinion if no workaround found.  It should not have been closed lightly.

I'm adding Bob and Elio (the NSS folks) to the cc list to see if they know anything about the issue.

Here is the ticket that I talked about in today's CS meeting, which I filed 18 months ago:
https://fedorahosted.org/pki/ticket/1178 Enrollment profiles standards/practice conformance
Looking at the included url, https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
I think it could be translated into multiple tickets, some may be as simple as editing as an enrollment profile, but some may require code changes in the CA.

I do not know at this point if any of the Firefox behavior changes listed on the url could have caused the issue reported in this bug.
Comment 7 Asha Akkiangady 2016-03-22 08:01:38 EDT
I tested agent authentication to RHCS subsystems on firefox-45, ocsp request is not made during client auth. 
OCSP request is made only when I import certificate in Firefox Certificate Manager.
Comment 8 Bob Relyea 2016-04-05 15:16:23 EDT
So I'm trying to write the upstream bug, and I discussed this with Asha, but I'm not clear where things came done.

First, Firefox does not validate the client certificate, so we don't expect the client certificate to actually generate an OCSP request from firefox. If anyone checks the OCSP request, it's the server.

Firefox does check the OCSP request for the server's cert. That should still be happening (assuming the server has the OCSP extension).

This may be an issue, in which case it's not a client auth issue at all. It would be a problem with the new cert handler in firefox.

If Firefox is not presenting the client auth cert, then that could cause the server to not do the OCSP request. In that case I want to know exactly what the server configuration is that isn't sending the client auth cert when it used to.

I think the last paragraph is the actual bug that needs to be filed, but I'll need enough information to file it. Let's put it in this bug first.

bob

Note You need to log in before you can comment on or make changes to this bug.