New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 647910 link

Starred by 1 user
Status: Duplicate
Merged: issue 646567
Owner: ----
Closed: Sep 2016
Cc:
lgar...@chromium.org
nyerramilli@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Improvement on the error message for expired client certificate

Reported by g.rossol...@gmail.com, Sep 17 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce the problem:
1. Load a client certificate in the browser, with appropriate additional CA if necessary
2. Confirm that the certificate is accepted by the server
3. Wait for the client certificate to expire (or change server clock)
4. Confirm the SSL error message

What is the expected behavior?
The error message shown by the browser should help the user diagnose the issue.
For example, Firefox displays the following error code along with the message "An error occurred during a connection to example.com:8443. SSL peer rejected your certificate as expired":
SSL_ERROR_EXPIRED_CERT_ALERT

What went wrong?
Chrome displays a generic error message with the following error code:
ERR_SSL_PROTOCOL_ERROR

Here is the complete message:
"Ce site ne peut pas fournir de connexion sécurisée

example.com a envoyé une réponse incorrecte.
Essayez d'exécuter les diagnostics réseau.

ERR_SSL_PROTOCOL_ERROR"

This suggests the problem is with the server or the network, when in fact the error is in the certificate having already expired.

Also, in my case the website is hosted on port 8443, which Firefox repeats in the error message while Chrome does not.

Did this work before? N/A 

Chrome version: 52.0.2743.116  Channel: stable
OS Version: OS X 10.11.6
Flash Version: Shockwave Flash 22.0 r0

Comment 1 by nyerramilli@google.com, Sep 19 2016

Cc: nyerramilli@chromium.org
Components: -UI Internals>Network>SSL
Labels: -Type-Bug M-54 OS-Linux OS-Windows Type-Feature
Thanks for the report.

Considering this as feature request, marking as Untriaged.

Requesting Dev team to look into this issue and update.

Comment 2 by davidben@chromium.org, Sep 19 2016

Labels: Needs-Feedback
Client certificate error messages are not something a client can control. What we do depends strongly on what alert the server is kind enough to send us and other factors like whether we filter out expired certs ahead of time (I forget).

Please attach a net-internals log per these instructions:
https://dev.chromium.org/for-testers/providing-network-details

Comment 3 by rsleevi@chromium.org, Sep 19 2016 

David: We do filter out ahead of time. This is the case where the cert enters the cache (unexpired), but then later expires during use.

There's only one place NSS sets SSL_ERROR_EXPIRED_CERT_ALERT: a certificate_expired alert - https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/ssl/ssl3con.c#3756

Seems reasonably low-friction to support, but haven't checked the spec.

Comment 4 by davidben@chromium.org, Sep 19 2016 

We already map that alert to ERR_BAD_SSL_CLIENT_AUTH_CERT, hence the net-internals request. I actually suspect we're simply filtering the certs out, sending none, and hitting  issue #646567 . A net-internals log will confirm.

Comment 5 by g.rossol...@gmail.com, Sep 21 2016 

Following Comment #4, please find attached the requested net-internals report.
net-internals-log.json
103 KB View Download

Comment 6 by davidben@chromium.org, Sep 22 2016

Mergedinto: 646567
Status: Duplicate (was: Unconfirmed)
Thanks! Comment #4 is indeed what's going on. Merging into the other bug. ClientCertStoreMac filters out expired certificates, so we're not prompting or offering anything. The server then responds with our favorite generic handshake_failure alert (since TLS didn't define an alert for this) which we currently map to a generic error.

 Issue #646567  is being worked on (I have a meeting with some UI folks next week), so hopefully in a future release we'll map this to something more useful.

Comment 7 by g.rossol...@gmail.com, Sep 24 2016 

Ok, thanks for taking this into account.
By the way, I am not sure what you mean by "cache" here, but in my case the certificate had not been requested by the server for several weeks or even months (I mostly use other computers for this task). The browser has had many opportunities to be quit since last time the cert has been requested by the server, and the whole computer has been rebooted several times as well.
I would guess the cache you mention has had many opportunities to be cleared or invalidated.

Comment 8 by davidben@chromium.org, Sep 24 2016 

Yeah, I don't think the cache was involved. I think we were confused about how much time passed between steps 2 and 3. :-) Either way, the issue is the same was #646567.

(The problem is TLS failed to define an alert for "you sent no certificate, but I needed one", so everyone sends the generic handshake_failure alert which is used for bad cipher suites and everything else. We're going to need some extra logic to guess when it was because you didn't send a client cert. I've gotten the IETF to define a new alert for TLS 1.3, so going forward servers will hopefully be saner.)

Comment 9 by g.rossol...@gmail.com, Sep 29 2016 

I have seen the new error with Version 55.0.2875.0 canary (64-bit) on macOS 10.12.
This is a very helpful error message, thanks!

I just wish it were present in the DevTools security audit as well (see attachment).
Capture d’écran 2016-09-30 à 01.06.13.png
91.2 KB View Download

Comment 10 by davidben@chromium.org, Sep 30 2016

Cc: lgar...@chromium.org
That's probably for +lgarron. It looks like that's just what we show on net error pages? In such a situation, we can't really show any of the bits DevTools would show because we haven't made a connection at all, but probably we shouldn't "Valid Certificates" and "Secure Resources" either.

(Probably should be tracked in a separate bug.)

Comment 11 by g.rossol...@gmail.com, Sep 30 2016 

I just tried several times creating a new issue for this, but I got a blank page.

Here is a copy of the report, please feel free to report it yourself with above screenshot:
Please enter a one-line summary:
DevTools' Security panel doesn't always show specific errors when overview marked "not secure"

What part of the browser is affected?
The Security panel in DevTools

Steps to reproduce the problem:
1. Have an expired client certificate
2. Load a webpage that requires this client certificate
3. Open the DevTools' Security panel

What is the expected behavior?
At least one warning or error message in the details to explain the overview label: "This page is not secure".
This panel really shines when user-friendly messages are displayed to help the less technical-oriented users.

What went wrong?
Although the overview displays a message "This page is not secure" (which is correct in this case), the details show no error. This creates confusion for the end user.

Did this work before?
  Not applicable or don't know  Yes - This is a regression  No - I think it never worked  

Any other comments?
Sometimes the actual TLS error is not even displayed in the main browser window, as shown by #646567.
Please see #647910 for more history on this issue.

Comment 12 by davidben@chromium.org, Sep 30 2016 

Odd. Well, anyway, I've pasted your report to  issue #651866 .

Sign in to add a comment