Issue 38905 in chromium: Personal certificates no longer working

332 views
Skip to first unread message

chro...@googlecode.com

unread,
Mar 22, 2010, 2:02:45 PM3/22/10
to chromi...@chromium.org
Status: Unconfirmed
Owner: ----
Labels: OS-Mac Area-Undefined Pri-2 Type-Bug

New issue 38905 by patrick.mcneal: Personal certificates no longer working
http://code.google.com/p/chromium/issues/detail?id=38905

Chrome Version : 5.0.359.0 (42152)
URLs (if applicable) : N/A
OS version : 10.6.2
Behavior in Safari 3.x/4.x (if applicable): Works
Behavior in Firefox 3.x (if applicable): Works
Behavior in Chrome for Windows: unknown

What steps will reproduce the problem?
1. Install a personal certificate
2. Goto a website the requires a personal certificate.

What is the expected result?
Chrome should provide my client certificate, and I should be able to access
the website.

What happens instead?
Chrom gives this error:

Certificate-based authentication failed.

This server requires a certificate for authentication, and didn't accept the
one sent by the browser. Your certificate may have expired, or the server
may not trust its issuer. You can try again with a different certificate,
if you
have one, or you may have to obtain a valid certificate from elsewhere.

More information on this error
Below is the original error message

Error 117 (net::ERR_BAD_SSL_CLIENT_AUTH_CERT): Bad SSL client
authentication certificate.

Note: This does work with Chrome 5.0.359.0 (42146). It stopped working
in 5.0.359.0 (42152).

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

chro...@googlecode.com

unread,
Mar 27, 2010, 10:08:04 PM3/27/10
to chromi...@chromium.org

Comment #1 on issue 38905 by colesbury: Personal certificates no longer
working
http://code.google.com/p/chromium/issues/detail?id=38905

I'm seeing the same behavior on MIT's websites. r42149 is the change that
triggers this bug.

http://src.chromium.org/viewvc/chrome?view=rev&revision=42149

It appears that the client is not sending the Certificate Verify message.

chro...@googlecode.com

unread,
Mar 28, 2010, 2:56:59 PM3/28/10
to chromi...@chromium.org

Comment #2 on issue 38905 by f...@jbbr.net: Personal certificates no longer
working
http://code.google.com/p/chromium/issues/detail?id=38905

I can confirm this behavior with Chromium 5.0.365.0 (r42915) on Mac OS X

chro...@googlecode.com

unread,
Mar 29, 2010, 1:06:50 PM3/29/10
to chromi...@chromium.org
Updates:
Owner: s...@chromium.org
Labels: -Area-Undefined Area-Internals Internals-Network

Comment #3 on issue 38905 by sn...@chromium.org: Personal certificates no
longer working
http://code.google.com/p/chromium/issues/detail?id=38905

Is there a server I can use to reproduce this? Client auth is working for
me with servers I test with.

If not, can you turn on the INFO level of logging, and then collect the log
messages starting with "SSL:" when you
try/fail to connect, and attach them here? [Those are the messages
generated by the SSL_LOG macro in
ssl_client_socket_mac.cc.)

chro...@googlecode.com

unread,
Mar 29, 2010, 2:28:05 PM3/29/10
to chromi...@chromium.org

Comment #6 on issue 38905 by sn...@chromium.org: Personal certificates no
longer working
http://code.google.com/p/chromium/issues/detail?id=38905

Thanks for the logs. They both look pretty much the same:
ssl_client_socket_mac.cc(724)] SSL: ----- InitializeSSLContext
ssl_client_socket_mac.cc(960)] SSL: Server auth completed (DoHandshakeStart)
ssl_client_socket_mac.cc(998)] SSL: DoVerifyCert...
ssl_client_socket_mac.cc(1014)] SSL: ...DoVerifyCertComplete (result=0)
ssl_client_socket_mac.cc(1068)] SSL: Server requested client cert
(DoHandshakeFinish)
ssl_client_socket_mac.cc(663)] SSL: Server has 1 valid issuer names
ssl_client_socket_mac.cc(685)] SSL: Asking user to choose between 1 client
certs...
ssl_client_socket_mac.cc(556)] SSL: ----- Disposed SSLContext
ssl_client_socket_mac.cc(724)] SSL: ----- InitializeSSLContext
ssl_client_socket_mac.cc(960)] SSL: Server auth completed (DoHandshakeStart)
ssl_client_socket_mac.cc(998)] SSL: DoVerifyCert...
ssl_client_socket_mac.cc(1014)] SSL: ...DoVerifyCertComplete (result=0)
ssl_client_socket_mac.cc(1068)] SSL: Server requested client cert
(DoHandshakeFinish)
ssl_client_socket_mac.cc(1053)] SSL: SSLSetCertificate(1 certs)
ssl_client_socket_mac.cc(556)] SSL: ----- Disposed SSLContext
ssl_client_socket_mac.cc(724)] SSL: ----- InitializeSSLContext
ssl_client_socket_mac.cc(960)] SSL: Server auth completed (DoHandshakeStart)
ssl_client_socket_mac.cc(998)] SSL: DoVerifyCert...
ssl_client_socket_mac.cc(1014)] SSL: ...DoVerifyCertComplete (result=0)
ssl_client_socket_mac.cc(1068)] SSL: Server requested client cert
(DoHandshakeFinish)
ssl_client_socket_mac.cc(1053)] SSL: SSLSetCertificate(1 certs)
ssl_client_socket_mac.cc(1088)] Server aborted SSL handshake; client_state=1
ssl_client_socket_mac.cc(556)] SSL: ----- Disposed SSLContext

Things seem to go fine until the "Server aborted SSL handshake" warning,
which means SSLHandshake returned
errSSLClosedAbort or errSSLPeerHandshakeFail. At this point
SSLGetClientCertificateState is returning
kSSLClientCertRequested, which means "server has asked for a cert, but
client didn't send it". Which is weird since the logs
show that we called SSLSetCertificate already.

chro...@googlecode.com

unread,
Mar 29, 2010, 3:41:31 PM3/29/10
to chromi...@chromium.org

Comment #7 on issue 38905 by colesbury: Personal certificates no longer
working
http://code.google.com/p/chromium/issues/detail?id=38905

I see the same log. Looking at what goes across the wire, I see that the
newer nightly builds don't send a
Certificate Verify message. (They then try to fallback to SSLv3 which also
fails). This seems to be related to your
post here:

http://lists.apple.com/archives/apple-cdsa/2010/Feb/msg00057.html

When you test client auth on your servers do you see the Certificate Verify
message being sent?

chro...@googlecode.com

unread,
Mar 29, 2010, 4:13:04 PM3/29/10
to chromi...@chromium.org

Comment #8 on issue 38905 by s...@google.com: Personal certificates no
longer working
http://code.google.com/p/chromium/issues/detail?id=38905

colesbury: I don't think it's related to that mailing list post, because in
this case we never get through the
handshake at all.
What tool are you using the trace the SSL messages? I haven't had to dive
down to that level yet, but it looks like
I'll need to now. I hope this isn't another SecureTransport bug.

chro...@googlecode.com

unread,
Mar 29, 2010, 5:42:41 PM3/29/10
to chromi...@chromium.org
Updates:
Status: Started
Cc: w...@chromium.org

Comment #14 on issue 38905 by sn...@chromium.org: Personal certificates no
longer working
http://code.google.com/p/chromium/issues/detail?id=38905

OK, I have a patch that backs out the behavior of the previous patch
(without literally backing out the entire
patch.)
http://codereview.chromium.org/1514004
If someone following this issue can build Chromium from source, it'd be
great if you could apply the patch and
let me know if it fixes the problem; since I don't yet have any server that
reproduces the bug.

Reply all
Reply to author
Forward
0 new messages