[Bug 1071298] New: openSUSE Firefox-57 can't use x509 client authentication
http://bugzilla.suse.com/show_bug.cgi?id=1071298 Bug ID: 1071298 Summary: openSUSE Firefox-57 can't use x509 client authentication Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Firefox Assignee: bnc-team-mozilla@forge.provo.novell.com Reporter: duge@pre-sense.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I hope this is the right place for this. If I use Firefox-57 from the download.opensuse.org Mozilla repo on openSUSE 42.3, I can't use x509 client authentication anymore. https://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/ Instead of a dialog asking me to choose a certificate, I'm getting this message: | Secure Connection Failed | | An error occurred during a connection to intern.pre-sense.de. SSL peer | was unable to negotiate an acceptable set of security parameters. | Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT | | The page you are trying to view cannot be shown because the | authenticity of the received data could not be verified. | Please contact the website owners to inform them of this problem. ATTENTION: This is the same message, as if you don't have any x509 client certificate installed in Firefox. So make sure to import your certificate into Firefox before testing. For testing create an account at https://www.cacert.org, get a certificate and enable it for authentication with CaCert. Then try to login via client certificate. It's not working with: - Firefox-57 from https://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/ It's working with: - The official Firefox-52.5.0 from openSUSE-42.3 - Firefox-57 downloaded directly from Mozilla: https://ftp.mozilla.org/pub/firefox/releases/57.0.1/linux-x86_64/ - The official Firefox-57.0.1 on openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20171204-Media.iso I installed the following packages from the download.opensuse.org Mozilla repo (also tested with Firefox-57.0.1 before a few minutes): MozillaFirefox-57.0-4.2.x86_64 MozillaFirefox-branding-openSUSE-45-3.1.x86_64 MozillaFirefox-translations-common-57.0-4.2.x86_64 libnsssharedhelper0-1.0.10-1.1.x86_64 libsoftokn3-3.33-2.1.x86_64 libfreebl3-3.33-2.1.x86_64 mozilla-nspr-4.17-1.1.x86_64 mozilla-nspr-devel-4.17-1.1.x86_64 mozilla-nss-3.33-2.1.x86_64 mozilla-nss-devel-3.33-2.1.x86_64 mozilla-nss-certs-3.33-2.1.x86_64 I maybe got one little clue what's wrong: In Firefox-57 from mozilla.org and Tumbleweed-20171204 Settings -> Advanced -> Certificates -> Security Devices -> Software Security Device -> Status says: Ready In Firefox-57 from that download.opensuse.org Mozilla repo Status says: Not Logged In If I click "Log In" Firefox asks for the master password and aftrwards the status is "Logged In". But I don't get status "Ready". Additionally in Firefox-52.5.0 from the normal openSUSE-42.3 repos, the value for "FW Version" is "6.0". But for Firefox-57 from mozilla.org, download.opensuse.org->mozilla and Tumbleweed-20171204 "FW Version" is "0.0". Nevertheless, Firefox-57 from mozilla.org and Tumbleweed are working fine for x509 client authentication. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 Moritz Duge <duge@pre-sense.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Hardware|Other |x86-64 OS|Other |openSUSE 42.3 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c3 Wolfgang Rosenauer <wolfgang@rosenauer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wolfgang@rosenauer.org Flags| |needinfo?(duge@pre-sense.de | |) --- Comment #3 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- Trying to reproduce. What is your error behaviour on cacert.org? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c4 --- Comment #4 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- I get a SSL_ERROR_HANDSHAKE_FAILURE_ALERT error on that page and I see the same "Logged in" vs. "Ready" issue in the NSS management module. But I only can reproduce on 42.3 while Tumbleweed having the same source package for Firefox does not show the issue for me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c5 Moritz Duge <duge@pre-sense.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(duge@pre-sense.de | |) | --- Comment #5 from Moritz Duge <duge@pre-sense.de> --- (In reply to Wolfgang Rosenauer from comment #3)
Trying to reproduce. What is your error behaviour on cacert.org? The error is: SSL_ERROR_HANDSHAKE_FAILURE_ALERT While on other Firefox builds the site is asking for authentication via x509.
Please reopen "needinfo" if that's not what you wanted to know. (In reply to Wolfgang Rosenauer from comment #4)
I get a SSL_ERROR_HANDSHAKE_FAILURE_ALERT error on that page and I see the same "Logged in" vs. "Ready" issue in the NSS management module.
But I only can reproduce on 42.3 while Tumbleweed having the same source package for Firefox does not show the issue for me.
Exactly. Only the build from the "mozilla" repo has that problem. I already tried to find out what's causing the problem in the "mozilla" repo by looking at https://build.opensuse.org/package/show/mozilla/firefox57 But I couldn't get a idea. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c6 --- Comment #6 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- The mozilla repo is not the problem. I'm also using FF from that repo on Tumbleweed. So it's a build or runtime thing. Next I'll try is to run Firefox built for 42.3 on Tumbleweed and see how it behaves to compare build vs. runtime -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 C. Holm <them4z@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |them4z@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c7 --- Comment #7 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- I now tested Firefox from mozilla built for 42.3 on Tumbleweed and it seems to work. It says "standby" but I wasn't able to test with a real client certificate. The CACert testcase still fails for me but this might have different reasons still. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c8 Wolfgang Rosenauer <wolfgang@rosenauer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(duge@pre-sense.de | |) --- Comment #8 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- So in case you are able to test a similar thing (42.3 packages on TW) you could help to verify if it really works. If it does there is only a runtime difference. While I currently would have no idea what that might be. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c9 Moritz Duge <duge@pre-sense.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(duge@pre-sense.de | |) | --- Comment #9 from Moritz Duge <duge@pre-sense.de> --- (In reply to Wolfgang Rosenauer from comment #7)
I now tested Firefox from mozilla built for 42.3 on Tumbleweed and it seems to work. It says "standby" but I wasn't able to test with a real client certificate.
The CACert testcase still fails for me but this might have different reasons still.
I also tested Firefox from mozilla-42.3 on openSUSE-Tumbleweed-KDE-Live-x86_64-Snapshot20180106-Media.iso. And I was able to reproduce the error with this setup! Actually it was a little tricky to install the current RPMs from the mozilla-42.3 repo, because they have exactly the same version numbers as the current Tumbleweed RPMs. Trick: 1. First install Firefox from standard repos to pull all dependencies 2. then disable all Tumbleweed standard repos 3. then reinstall all packages from the mozilla-42.3 repo. So do you think this might has been the reason why Firefox from mozilla-42.3 seemed to work for you on Tumbleweed? Alternatively you may repeat your test with a real certificate installed. Else Firefox might not behave as needed to reproduce this bug. After 1. I did a short test with the Tumbleweed standard Firefox and x509 authentication worked fine! I also tested Firefox-57 from the Tumbleweed repo on my openSUSE-42.3 system (had to install updated libz1 from Tumbleweed repo too). And then x509 authentication works. (In reply to Wolfgang Rosenauer from comment #8)
So in case you are able to test a similar thing (42.3 packages on TW) you could help to verify if it really works. If it does there is only a runtime difference. While I currently would have no idea what that might be.
Concluding my test results I'm pretty sure this is a problem when building Firefox-57 in the mozilla repo against openSUSE-42.3. Mostly because installing the mozilla-Tumbleweed Firefox-57 instead of the mozilla-42.3 Firefox-57 on openSUSE-42.3 solves the bug. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c10 --- Comment #10 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- I'm pretty sure I've got the right packages installed to test. But I only was able to look at the certificate module manager. For some reason my cacert access is not working anyway. Firefox is telling me that the algorithms are disabled for security reasons. But if I understand you correctly: The TW version from mozilla works on 42.3 correctly while the 42.3 version on TW and 42.3 does not, right? Both are built from the same sources and spec so a guess would be some miscompilation. Have you also switched all the NSS packages or just Firefox? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c11 --- Comment #11 from Moritz Duge <duge@pre-sense.de> --- (In reply to Wolfgang Rosenauer from comment #10)
I'm pretty sure I've got the right packages installed to test. But I only was able to look at the certificate module manager. For some reason my cacert access is not working anyway. Firefox is telling me that the algorithms are disabled for security reasons.
You're getting this error? | Your connection is not secure | [...] | ADVANCED | secure.cacert.org uses an invalid security certificate. The certificate is | not trusted because it was signed using a signature algorithm that was | disabled because that algorithm is not secure. Error code: | SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED That actually seems to be an misconfiguration by CaCert or maybe it's a misunderstanding by Firefox, because the CaCert root CA isn't in Firefox by default and uses MD5 (for a root CA itself it's still OK to use MD5, but Firefox just doesn't know, that CaCert is a root CA). Just click ADD_EXCEPTION and disable PERMANENTLY_STORE_THIS_EXCEPTION for the moment.
But if I understand you correctly: The TW version from mozilla works on 42.3 correctly while the 42.3 version on TW and 42.3 does not, right?
Yes! Like that.
Both are built from the same sources and spec so a guess would be some miscompilation. Have you also switched all the NSS packages or just Firefox?
For both tests (Firefox for TW on 42.3 and Firefox for 42.3 on TW) I installed all the NSS packages from mozilla. Actually I switched every required package to the mozilla repo, if available from that repo. MozillaFirefox MozillaFirefox-branding-openSUSE kmozillahelper libfreebl3 libnsssharedhelper0 libsoftokn3 mozilla-nspr mozilla-nspr-devel mozilla-nss mozilla-nss-devel mozilla-nss-certs The only idea I'm currently having: Maybe Firefox-57 (or one of the just listed packages) needs to be build against libz1 >= 1.2.9 (TW has libz1-1.2.11)!? Because on 42.3 I needed to update libz1 from 1.2.8 to >= 1.2.9 to make Firefox-57 work. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c12 --- Comment #12 from Wolfgang Rosenauer <wolfgang@rosenauer.org> --- (In reply to Moritz Duge from comment #11)
(In reply to Wolfgang Rosenauer from comment #10) You're getting this error?
currently I get this one: SSL_ERROR_HANDSHAKE_FAILURE_ALERT (cleartext translation something like security parameters cannot be aligned)
That actually seems to be an misconfiguration by CaCert or maybe it's a misunderstanding by Firefox, because the CaCert root CA isn't in Firefox by default and uses MD5 (for a root CA itself it's still OK to use MD5, but Firefox just doesn't know, that CaCert is a root CA). Just click ADD_EXCEPTION and disable PERMANENTLY_STORE_THIS_EXCEPTION for the moment.
I have the CACERT Root CA in my browser since forever and just confirmed that.
The only idea I'm currently having: Maybe Firefox-57 (or one of the just listed packages) needs to be build against libz1 >= 1.2.9 (TW has libz1-1.2.11)!? Because on 42.3 I needed to update libz1 from 1.2.8 to >= 1.2.9 to make Firefox-57 work.
hmm, I have wolfi@Hygiea:~> rpm -q libz1 libz1-1.2.8-13.15.x86_64 on my 42.3 system. I'm running out of ideas :-( -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c13 Héctor Sanjuán <code@hector.link> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |code@hector.link --- Comment #13 from Héctor Sanjuán <code@hector.link> --- I think I am experiencing this issue as well, albeit with the Estonian eID card using OpenSC pkcs11 driver. It seems that Firefox-57 builds from the Mozilla repository in openSUSE 42.3 are unable to show the certificate selection window, even though the certificates appear in the certificate explorer and the PIN is correctly requested. From my tests: * Logins DON'T work on openSUSE 42.3 when the "Ask every time" configuration option for certificates is enabled. * Logins work on openSUSE 42.3 when the "Select one automatically" configuration option for certificates is enabled. * Logins work (and certificate selection window shows) on a Tumbleweed system * Logins work (and certificate selection window shows) on openSUSE 42.3 with the Firefox Tumbleweed package installed, along with some dependencies (listed here: https://usercontent.irccloud-cdn.com/file/Ck7DIA6R/changed-deps) Looking at the deps involved, this is either a zlib or dbus issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 Wolfgang Rosenauer <wolfgang@rosenauer.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c17 --- Comment #17 from Moritz Duge <duge@pre-sense.de> --- Side note: x509 authentication works in Firefox-60 from openSUSE-42.3 OSS. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c18 Andreas Stieger <astieger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #18 from Andreas Stieger <astieger@suse.com> --- Thank you for confirming. Resolving as fixed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1071298 http://bugzilla.suse.com/show_bug.cgi?id=1071298#c19 --- Comment #19 from Moritz Duge <duge@pre-sense.de> --- (In reply to Andreas Stieger from comment #18)
Thank you for confirming. Resolving as fixed.
I actually was only confirming for Firefox-60-ESR from the main OSS repo of openSUSE-42.3 and not the mozilla repo. But I just did a test for Firefox-60 (non ESR) from the mozilla repo and the bug also seems to be gone here. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com