CAC Card - Auto Select Doesn't Work

On Tue, Jun 10, 2008 at 01:52:51PM -0000, arm-c wrote:
> Public bug reported:
>
> Binary package hint: firefox-3.0
>
> Firefox doesn't remember which certificate I select for a site and
> constantly asks me. Turning on the "Let Firefox Choose" when server
> asks for certificate results in wrong cert being sent.
>
> There should be a way to associate a CAC certificate with a certain
> site. Problem is I can't find out how to do that or override what
> Firefox chooses to send.
>
> This may not be a bug, but a feature that needs to be implemented... or
> it possibly is already there but I can't find a solution by searching
> web.
>

Is this about client certificates for authentication?

can you give us a simple step by step instruction like:

 1. do this
 2. do that
 3. see this result, while the expected result is like X

 status incomplete

 - Alexander

Alexander,

Thank you for the response.

"about client certificates for authentication?": Because I am unsure of terminology, I will try to be explicit. This is about how firefox handles "certificate" requests from servers when queried. My certificates are good and work, but require constantly selecting the correct certificate.

I had no problem setting up my CAC card for use with Linux / Firefox (DoD plugin pulled all certs that I needed and installed them to firefox). Fairly straight forward process with some excellent guides online.

WHAT AM I DOING: I connect to my work email through an outlook web access server. Since there are certain security concerns, the site now uses the CAC card to provide certificates to access the site.

WHAT I DO / SEE:

a. I connect to the URL. I SEE a dialog box prompting me for my CAC PIN which is required to access my card and verify that I am the proper owner of the card.
b. I enter my PIN. I SEE a dialog box showing me the certificate that FIREFOX wants to respond with (There are two on my card -- one normal and one tagged email).
c. I select the second certificate because that is the one required for this site. It always defaults to wrong certificate until I choose one for the first time. I would like to note, that I am prompted multiple times for the certificate, as I believe the site is pulling data from separate areas, each requesting a certificate. I SEE finally outlook web access (OWA) interface.
d. While working in OWA, if I reply to an email, open calendars, tasks, etc... I am prompted to select the certificate... sometimes multiple times in a row. WHAT I SEE is that after a certain amount of time, firefox starts presenting me with the correct certificate as its default selection (supports my thought that there are multiple queries for the certifcate from different sources).

The above notes are what occurs on default firefox setting (choose certificate everytime firefox is asked). If I wait until I see all of my certificate requests are defaulting to "email certificate" and then change the default setting of firefox to "let firefox choose the certificate to respond with", it works flawlessly with out any other problems.

If I change the default settings to "Let Firefox Choose" prior to connecting to site, FIREFOX ALWAYS chooses the wrong certificate and I am locked out of the site. NOTE, that this is after a restart of firefox that this occurs and not if I changed the settings after getting through the initial series of "selecting" the certificate.

MY BELIEF:

1. Firefox has a bug in how it handles certificate requests. It is not processing the request properly, so always defaults to wrong certificate.

AND OR

2. Firefox is supposed to learn and remember the proper certificate selected for the site and fails to do that, so switching to "letting firefox choose" fails once it learns because it forgets the association with the site.

OR

3. Firefox doesn't have the requiste functionality yet to handle the certificates learning and it needs to be requested as a new feature. If it needs to be implemented, the certificate handling should have another option in which it asks fo...

Since it's been a very long time since any additional info was added to this bug, I'm just checking to see if this is still an issue, and find out what additional work should be done on this bug.

This is still an issue with 3.0. I would love to be able to work directly with someone to ID what needs to be done in order to resolve this.

v/r

I would like to join in this quest, because it's really annoying when it comes to this. Especially on sites which validate every move you make with a certificate. Is there perhaps a firefox add-in for this (e.g. proxy switcher)?

Aljaz, I am glad to see that there is someone else that has this issue / similar issue. I wish I knew how to get this into an actively worked status.

It is still a significant anoyance to me.

We could annoy developers here ;) or we start developing (and before that learning how to do it). I haven't yet had the time to refresh content on mozilla forums. I once read (back in the 1.5 version times) there that it was kind of planned for the 3.0 series but apparently there are but a few users that have this problem so it is yet to be tackled with.

Well, I hadn't seen that. It is quite annoying... and even more so that MS IE handles things correctly.

There essentially should be a select once for a site and then stick with it.

Where are you in the world?

 Respectfully,
Arick R. McNiel-Cho

________________________________
From: Aljaz Prusnik <email address hidden>
To: <email address hidden>
Sent: Monday, February 9, 2009 12:41:29 PM
Subject: [Bug 238861] Re: CAC Card - Auto Select Doesn't Work

We could annoy developers here ;) or we start developing (and before
that learning how to do it). I haven't yet had the time to refresh
content on mozilla forums. I once read (back in the 1.5 version times)
there that it was kind of planned for the 3.0 series but apparently
there are but a few users that have this problem so it is yet to be
tackled with.

--
CAC Card - Auto Select Doesn't Work
https://bugs.launchpad.net/bugs/238861
You received this bug notification because you are a direct subscriber
of the bug.

Yup, IE does exactly that! Choose once - use for the session. I needed that feature while testing numerous different certificates for our Tax Administration (e-Taxes). In Firefox this was non-doable. But now, I'm a multi certificate user myself (different e-banks, different certificates) and it's a real pain to do the choosing every time the validation is due. Come to think of it, the e-banking sites are made quite simple, asking you a couple of times, whilst at e-Taxes we validated the user for every element of the page (just to be paranoidly secure ;) ).

I'm from Slovenia, BTW.

Well, the MS Outlook Web Access client I access work through appears to validate nearly every element also. Sounds same as your situation, but with different web-application.

While I can use IE at work, at home I am a linux user, so Firefox is my primary browser. Besides that, I prefer FF over IE even on windows platform. Frustrating.

I wish I was a qualified programmer and able to do that level of code. I'd try to pull the source code and go for it... sadly, I am not and am just learning to program using Python. I have published a small GUI/Python Script program on sourceforge for users of AcerHK Driver (http://acerhkgui.sourceforge.net), but is NOTHING more than a VERY basic script.

Slovenia. :) Former Yugoslavia. I thought that was a slovik name. I (painfully) studied Czech for a year. An intensive course of 6hrs of instruction a day + homework afterward. For all that pain, one would think I could speak, but my intended purpose of studying in Brno for a year didn't happen so I haven't used the language since then... and it has faded.

Slovenia is supposed to be a very beautiful area. Even more so because you all were not caught up in the Yugoslavia breakup disaster of Kosovo / Croatia / Serbia / Bosnia mess.

You mentioned writing code. Are you a programmer? What language do you work with?

Arick

 Respectfully,
Arick R. McNiel-Cho

________________________________
From: Aljaz Prusnik <email address hidden>
To: <email address hidden>
Sent: Sunday, February 15, 2009 1:33:15 PM
Subject: [Bug 238861] Re: CAC Card - Auto Select Doesn't Work

Yup, IE does exactly that! Choose once - use for the session. I needed
that feature while testing numerous different certificates for our Tax
Administration (e-Taxes). In Firefox this was non-doable. But now, I'm a
multi certificate user myself (different e-banks, different
certificates) and it's a real pain to do the choosing every time the
validation is due. Come to think of it, the e-banking sites are made
quite simple, asking you a couple of times, whilst at e-Taxes we
validated the user for every element of the page (just to be paranoidly
secure ;) ).

I'm from Slovenia, BTW.

--
CAC Card - Auto Select Doesn't Work
https://bugs.launchpad.net/bugs/238861
You received this bug notification because you are a direct subscriber
of the bug.

I have done some firefox bugzilla reading and here's what I found:
https://bugzilla.mozilla.org/show_bug.cgi?id=395399

It's still unresolved.

This is precisely the problem and people have been all over the issue and even addressed means to get it to work properly but have done nothing to it. It is still the same for years!

I'm a little frustrated seeing that... but it also explains more about the issue.

BTW, did you know that after you select the right cert and then goto prefs and turn off the "always ask" it will continue to use the correct certificate?

I'm not at the point where I would presume to dive into the code and try to fix it... but it really does need to ask "just once" for each session or permit a person to align a particular site to a particular certificate.

Sounds easy... doesn't it?? LOL

 Respectfully,
Arick R. McNiel-Cho

________________________________
From: Aljaz Prusnik <email address hidden>
To: <email address hidden>
Sent: Monday, March 9, 2009 4:40:53 PM
Subject: [Bug 238861] Re: CAC Card - Auto Select Doesn't Work

I have done some firefox bugzilla reading and here's what I found:
https://bugzilla.mozilla.org/show_bug.cgi?id=395399

It's still unresolved.

--
CAC Card - Auto Select Doesn't Work
https://bugs.launchpad.net/bugs/238861
You received this bug notification because you are a direct subscriber
of the bug.

Does this bug still exist?

This is no more a supported version