User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041101 MultiZilla/1.7.0.0e Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8a5) Gecko/20041101 MultiZilla/1.7.0.0e When I visit a page which requests a client certificate (I know an internal one but don't like to post the address here) and none is available, Mozilla (tested with Firefox 1.0 and current Suite nightly builds) says: "[server name] has received an incorrect or unexpected message. Error code -12227." Also see http://www.dartmouth.edu/comp/support/library/software/security/pki/faqs/mozilla.html which describes the same error. Reproducible: Always Steps to Reproduce: 1. Visit a website which requests a client certificate that you do no have installed Actual Results: The described error appears in an alert box Expected Results: Inform the user what went wrong and possibly how to solve the problem (install a client certificate for the site requesting it) Maybe someone else can give an example website where the problem appears.

*** This bug has been marked as a duplicate of 107491 ***

I can now reproduce this error, as I set up a require-always-client-auth test server at https://kuix.de:8443/ While I agree that PSM should report a better error message, -12227 means: SSL_ERROR_HANDSHAKE_FAILURE_ALERT Should NSS really return with that error code?

NSS is returning an error with the most specific information it has about what went wrong. The server sent a general "handshake failure" alert. Sounds like the server is returning the wrong alert code. Under the circumstances, considering the alert code we received, I don't how NSS could better diagnose the situation. I suppose we could remember that the server requested client authentication, and then when the handshake fails, we could report some error message to the user that speculates "Failure might be related to client authentication". But let's not fix that before fixing bug 107491.