When a server sets the SSL_REQUEST_CERTIFICATE (but not SSL_REQUIRE_CERTIFICATE), it's telling the SSL client that the user can login with or without a client certificate. Upon receiving this SSL alert, Mozilla will search all the tokens for client certificates matching the CA certs presented by the server. If it finds one or more, it will ask the user to select one of those matching certificates or automatically use one of the matching certificates, if "select automatically" is set). The only options in the client cert selection dialog are to select a cert and click OK, or click Cancel. If Cancel is clicked, the entire connection is aborted. Effectively, if a user has a certificate, he can only login to the server with that certificate, even though the server also allows logging in without a certificate. Consider the case below, which I ran into yesterday : - The user has a matching certificate, which as been revoked by the CA and is listed in the CA's CRL - The server has the CA's CRL installed When the user logs in to the server, forcibly selecting his client certificate, he gets a pop-up from the server saying "your client certificate has been revoked" (not sure of exact wording anymore, I would have to check). The problem is, he is unable to access the server at all, even though the client certificate isn't required by the server, but only requested ! The only workaround for the user at that point is to delete his revoked client certificate before he can login to the server. Once the certificate is deleted, the user no longer has any matching client certs, and Mozilla falls back to SSL without client auth, and all goes fine. Of course, this is a rather drastic workaround, and may not be desirable for example if this is a certificate living on a smartcard. My suggestion is to add a selection in the client cert pop-up list for "None" if the server set SSL_REQUEST_CERTIFICATE without setting SSL_REQUIRE_CERTIFICATE. Note that this is only one of many justifications for having this "None" option. For privacy reasons, one may want to login to the site without client auth, if the server allows it. This isn't possible today if you have a client cert in your database or other token.

kai.

I would add that the behavior Julien describes (where "cancel" aborts the connection) appears to differ from Communicator 4.x's behavior in that situation, where cancel seems to mean "continue without authenticating".

Nelson, Indeed. We should have a way to do both - either abort the connection or select no certificate, for servers allowing no certificate. For servers requiring a certificate, only selecting a cert or aborting would be acceptable. This is why I suggest putting a "No certificate" choice in the drop-down list of certs. That seems to make the most sense, at least to me. But perhaps a button ("login without certificate") would be easier to understand for others. That button would have to only be shown if the server didn't set the require bit, though.

Re: my previous example from last night, tf the cert was on a smartcard, the user could conceivably remove it from his reader and then login to the server - provided he knows that it's possible. We don't tell the user whether the server accepts non client-auth connections. And this is still not easily solvable for certs living in the database which would have to be deleted as a workaround ... As far as the revoked cert case and server permitting no client auth but requesting the cert : usually, such servers will only allow the non-client auth connection in order to be able to send a customized error page for the missing certificate. This is much better than the browser pop-up dialog about having a revoked cert. So, in that case, the user first logs in to the server with his revoked cert, and gets the "revoked" pop-up. With the new "none" feature, he can login again to the server with no certificate. The server will allow the non-client auth connection, and likely will display a "forbidden" page. That page conceivably could contain a pointer to the cert enrollment/renewal page or some contact information to get a valid certificate. This is much better than being stuck with a revoked cert and not being able to get in at all without deleting it. FYI, the behavior I described is just what happens in NES when the server "requires" client auth. It never sets the SSL_REQUIRE_CERTIFICATE bit, only SSL_REQUEST_CERTIFICATE. So if the user logs in without the client certificate, the custom 403 error page is sent to the user.

*** Bug 32023 has been marked as a duplicate of this bug. ***

transfering dependency from duplicate

Changing summary. The current behaviour of "Cancel" is to use no certificate.

changing obsolete psm* target to --- (unspecified)

see also bug 32010 comment 13 [4.]

reassign bug owner. mass-update-kaie-20120918