Issue metadata
Sign in to add a comment
|
ERR_BAD_SSL_CLIENT_AUTH_CERT for client cert subjectDN with Teletext non-ASCII text
Reported by
bper.i...@gmail.com,
May 3 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.29 Safari/537.36 Steps to reproduce the problem: 1. install the Chrome 59 beta browser on a Mac platform (macOS Sierra or El Capitan for example) 2. open Chrome browser on http://testssl.asipsante.fr web site 3. click on the https link What is the expected behavior? After clicking the HTTPS link, the browser should show a list of client certificates in order to select one (requires a specific smart-card - "Carte de Professional de Santé") What went wrong? No certificate list presented to the end user. The browser displays the error status ERR_BAD_SSL_CLIENT_AUTH_CERT instead. Did this work before? Yes 58 Release Chrome version: 59.0.3071.29 Channel: beta OS Version: OS X 10.12.4 Flash Version: After numerous tests, we have observed the following: - Certificates are valid (not expired at the time of test). - Certificates having a subjectDN with Teletext encoded text containing French accented characters don't work anymore. - Certificates having a subjectDN with Teletext encoded text NOT containing any French accented characters are OK. Certificates having a subjectDN with UTF-8 encoded text containing French accented characters are OK too.
,
May 3 2017
,
May 4 2017
Hi, The last night beta update (59.0.3071.36) has not fixed the problem. We get the same error in Chrome.
,
May 4 2017
,
May 4 2017
To add some context to this bug: if this issue still exists when Chrome 59 Release hits the streets (on Mac OS), there will be several thousands of healthcare professionals in France who will no longer be able to use their CPS smartcards in order to perform their work. Replacing their CPS smartcards containing new certificates is not something that be achieved in the space of a few weeks (or months even). This is therefore a 'Critical' bug from the user perspective.
,
May 4 2017
We have exactly the same issue. We have got 1.000.000 certificates holders (smartcards for healthcare professionnals) and they are potentially impacted.
,
May 4 2017
Re #4: We understand that's a good solution for server certificates. But all our certificates are available in secure readonly smartcards that are deployed. They are used every day by our users to access several web online applications. It couldn't be a quick win to change all our PKI and issued smartcards.
,
May 4 2017
#5, #6 - Thanks for your feedback!
,
May 4 2017
,
May 4 2017
,
May 4 2017
,
May 4 2017
,
May 4 2017
,
May 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/788812f7788c07aa58487523ec70f9e921d78543 commit 788812f7788c07aa58487523ec70f9e921d78543 Author: mattm <mattm@chromium.org> Date: Fri May 05 23:49:09 2017 X509NameAttribute::ValueAsString: Decode TeletexString as Latin1. BUG= 717905 , 715969 Review-Url: https://codereview.chromium.org/2865603002 Cr-Commit-Position: refs/heads/master@{#469812} [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/BUILD.gn [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/internal/parse_name.cc [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/internal/parse_name_unittest.cc [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/x509_certificate_unittest.cc [add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string.pem [add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_1-32.pem [add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_126-160.pem [add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_actual.pem [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/v3_certificate_template.txt [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/test/test_data_directory.cc [modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/test/test_data_directory.h
,
May 8 2017
,
May 8 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 8 2017
Issue 715969 has been merged into this issue.
,
May 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8a4fb425dc1e081b5942975f0d1c852aae2819e6 commit 8a4fb425dc1e081b5942975f0d1c852aae2819e6 Author: Matt Mueller <mattm@chromium.org> Date: Mon May 08 20:20:42 2017 X509NameAttribute::ValueAsString: Decode TeletexString as Latin1. BUG= 717905 , 715969 Review-Url: https://codereview.chromium.org/2865603002 Cr-Commit-Position: refs/heads/master@{#469812} (cherry picked from commit 788812f7788c07aa58487523ec70f9e921d78543) Review-Url: https://codereview.chromium.org/2866063003 . Cr-Commit-Position: refs/branch-heads/3071@{#461} Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641} [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/BUILD.gn [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/internal/parse_name.cc [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/internal/parse_name_unittest.cc [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/x509_certificate_unittest.cc [add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string.pem [add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_1-32.pem [add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_126-160.pem [add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_actual.pem [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/v3_certificate_template.txt [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/test/test_data_directory.cc [modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/test/test_data_directory.h
,
May 8 2017
Fix is in current canary, and should go out in next dev and beta builds as well.
,
May 10 2017
As per the duped Issue 715969 in C#17, I was able to repro on the reported version(59.0.3071.25). This now works fine on the latest M-59(59.0.3071.47) on Mac OS 10.12.4. Hence adding the TE- Verified label |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 3 2017Components: Internals>Network>Certificate
Status: Untriaged (was: Unconfirmed)
Summary: ERR_BAD_SSL_CLIENT_AUTH_CERT for client cert subjectDN with Teletext non-ASCII text (was: ERR_BAD_SSL_CLIENT_AUTH_CERT error code obtained on Web SSL client connection (chrome 59 beta))