A couple of us have had the pleasure of experimenting with the Thawte freemail cert generation pages on Microsoft Vista ...
I'll skip the IE 7 problems.
The Mozilla firefox generation works, but Thawte isn't returning the certificate in a form that firefox understands apparently, it comes back as a .spc or some kind of PKCS#7 file, and never gets imported.
It can kind of look like a Windows function is stepping in and intercepting the .spc file (it looks like a version of one of those Windows computer management consoles appears). It might even work to install the certificate, but of course the private key is absent in the Windows crypto store. Perhaps, firefox attempts to figure out what kind of file it is, doesn't know and drops into Windows file management. The file management window that firefox displays says Open with "Windows host proces (rundll32)".
I tried downloading the .spc file directly, and then tried to import it into Firefox. No luck - it wants a "password" for this file (presumably there is none - but that's not acceptable to the dialog box, and strings of 0-8 blank spaces don't make it work either).
There's definitely a nice cert in that .spc file - I can unpack it with openssl. firefox, tho, doesn't seem to want to import anything other than a pure pkcs12 file, and openssl won't produce one of those without a private key.
Anyone have any better luck and useful advice? Thanks, ==mwh
Mike Helm wrote: > I will try that, but I predict it will fail if they use the same format.
> One of my colleagues has found a recent bug in bugzilla on this > https://bugzilla.mozilla.org/show_bug.cgi?id=399188 > and it appears that firefox is ignoring the mime type and > looking at the .spc extension, and then dropping into > Windows file management. This is not what it does on, say, XP, > where the same transaction works fine. I have not instrumented > XP to see if the same pkcs#7 package & mime type header get sent > by Thawte to this client (seems like a reasonable assumption, tho).
> My colleague was able to create a web page that would trick > the firefox browser on Vista into downloading & installing > the cert: he took the cert out, renamed the extension to some > junk, and then had the page send the proper pkcs7 headers down > along with the cert. Then firefox-on-vista loaded the cert > properly.
If this is really the case on Vista than I rather suspect that the OS intercepts the file based on the extension...can this be? I'm not a Windows expert, much less Vista. So I expected the mime type to be application/x-x509-user-cert and that FF doesn't bother at all about the file extension. As a matter of fact the web page serving the certificate, can be called really anything....except maybe on Vista?
> Most likely they return a PKCS#7 (SPAC) file. The private key is > supposed to be stored in FF and the response file should be installed > without a problem. Perhaps you may want to try the free mail > certificates from http://cert.startcom.org and check if it works for you > with Firefox on Vista.
I will try that, but I predict it will fail if they use the same format.
One of my colleagues has found a recent bug in bugzilla on this https://bugzilla.mozilla.org/show_bug.cgi?id=399188 and it appears that firefox is ignoring the mime type and looking at the .spc extension, and then dropping into Windows file management. This is not what it does on, say, XP, where the same transaction works fine. I have not instrumented XP to see if the same pkcs#7 package & mime type header get sent by Thawte to this client (seems like a reasonable assumption, tho).
My colleague was able to create a web page that would trick the firefox browser on Vista into downloading & installing the cert: he took the cert out, renamed the extension to some junk, and then had the page send the proper pkcs7 headers down along with the cert. Then firefox-on-vista loaded the cert properly.
So it looks like this is some kind of error in the decisions firefox makes about extension handling.
Mike Helm wrote: > One of my colleagues has found a recent bug in bugzilla on this > https://bugzilla.mozilla.org/show_bug.cgi?id=399188 > and it appears that firefox is ignoring the mime type and > looking at the .spc extension, and then dropping into > Windows file management.
I believe the present browser processing for files received via http is something like this:
- if the MIME content type is known to the browser as a type it handles internally, (either in native browser code, or through extensions and add-ons/plugins) the browser handles the content internally, otherwise ...
- If the MIME content type is known to be handled by another process (e.g. MIME content type registered in Windows, or in the browser as a "helper") then it is handled that way. There may be a dialog involved at this point. Otherwise ...
- (on windows) the file name extension is looked up, and what ever process is associated with that file name extension is run to handle it. There may be a dialog involved at this step.
Note that there is a possibility that a file will be downloaded with an unknown MIME content type, but when the file name extension is looked up, the MIME content type associated with that extension will be a type that is known to the browser. In this case, one might expect that the browser would handle the file internally, but it does not. This is a known bug, but I doubt that it's relevant to Thawte.
I suspect that Thawte is downloading the file with a content type that is unknown to the browser, but is known to windows to be handled by Windows' own cert manager. I've seen that before.
