New issue
Advanced search Search tips
Starred by 8 users
Status: Fixed
Owner:
Closed: May 8
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment
ERR_BAD_SSL_CLIENT_AUTH_CERT for client cert subjectDN with Teletext non-ASCII text
Reported by bper.i...@gmail.com, May 3 Back to list
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.29 Safari/537.36

Steps to reproduce the problem:
1. install the Chrome 59 beta browser on a Mac platform (macOS Sierra or El Capitan for example)
2. open Chrome browser on http://testssl.asipsante.fr web site
3. click on the https link

What is the expected behavior?
After clicking the HTTPS link, the browser should show a list of client certificates in order to select one (requires a specific smart-card - "Carte de Professional de Santé")

What went wrong?
No certificate list presented to the end user.
The browser displays the error status ERR_BAD_SSL_CLIENT_AUTH_CERT instead.

Did this work before? Yes 58 Release

Chrome version: 59.0.3071.29  Channel: beta
OS Version: OS X 10.12.4
Flash Version: 

After numerous tests, we have observed the following:

- Certificates are valid (not expired at the time of test).
- Certificates having a subjectDN with Teletext encoded text containing French accented characters don't work anymore.
- Certificates having a subjectDN with Teletext encoded text NOT containing any French accented characters are OK.

Certificates having a subjectDN with UTF-8 encoded text containing French accented characters are OK too.
 
Chrome59_beta_CPS3v1_01.PNG
93.4 KB View Download
Cc: sleevi@google.com mattm@chromium.org
Components: Internals>Network>Certificate
Status: Untriaged
Summary: ERR_BAD_SSL_CLIENT_AUTH_CERT for client cert subjectDN with Teletext non-ASCII text (was: ERR_BAD_SSL_CLIENT_AUTH_CERT error code obtained on Web SSL client connection (chrome 59 beta))
Thanks for the report and the analysis!

Matt-- More fallout from crrev.com/4cede8d39db10321b053c0d9776cf6b23f290310, I presume?
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Hi,

The last night beta update (59.0.3071.36) has not fixed the problem.

We get the same error in Chrome.

To add some context to this bug: if this issue still exists when Chrome 59 Release hits the streets (on Mac OS), there will be several thousands of healthcare professionals in France who will no longer be able to use their CPS smartcards in order to perform their work. Replacing their CPS smartcards containing new certificates is not something that be achieved in the space of a few weeks (or months even).

This is therefore a 'Critical' bug from the user perspective.

We have exactly the same issue.

We have got 1.000.000 certificates holders (smartcards for healthcare professionnals) and they are potentially impacted.
Re #4: We understand that's a good solution for server certificates.

But all our certificates are available in secure readonly smartcards that are deployed. They are used every day by our users to access several web online applications.

It couldn't be a quick win to change all our PKI and issued smartcards.
Components: Enterprise
Labels: -Pri-2 M-59 Pri-1
#5, #6 - Thanks for your feedback!
Labels: ReleaseBlock-Stable
Labels: -Type-Bug Type-Bug-Regression
Cc: georgesak@chromium.org
Cc: -sleevi@google.com
Cc: -mattm@chromium.org
Owner: mattm@chromium.org
Status: Started
Project Member Comment 14 by bugdroid1@chromium.org, May 5
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/788812f7788c07aa58487523ec70f9e921d78543

commit 788812f7788c07aa58487523ec70f9e921d78543
Author: mattm <mattm@chromium.org>
Date: Fri May 05 23:49:09 2017

X509NameAttribute::ValueAsString: Decode TeletexString as Latin1.

BUG= 717905 , 715969 

Review-Url: https://codereview.chromium.org/2865603002
Cr-Commit-Position: refs/heads/master@{#469812}

[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/BUILD.gn
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/internal/parse_name.cc
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/internal/parse_name_unittest.cc
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string.pem
[add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_1-32.pem
[add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_126-160.pem
[add] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/subject_t61string_actual.pem
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/data/parse_certificate_unittest/v3_certificate_template.txt
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/test/test_data_directory.cc
[modify] https://crrev.com/788812f7788c07aa58487523ec70f9e921d78543/net/test/test_data_directory.h

Labels: Merge-Request-59
Project Member Comment 16 by sheriffbot@chromium.org, May 8
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: rsleevi@chromium.org mattm@chromium.org eroman@chromium.org elawre...@chromium.org
 Issue 715969  has been merged into this issue.
Project Member Comment 18 by bugdroid1@chromium.org, May 8
Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8a4fb425dc1e081b5942975f0d1c852aae2819e6

commit 8a4fb425dc1e081b5942975f0d1c852aae2819e6
Author: Matt Mueller <mattm@chromium.org>
Date: Mon May 08 20:20:42 2017

X509NameAttribute::ValueAsString: Decode TeletexString as Latin1.

BUG= 717905 , 715969 

Review-Url: https://codereview.chromium.org/2865603002
Cr-Commit-Position: refs/heads/master@{#469812}
(cherry picked from commit 788812f7788c07aa58487523ec70f9e921d78543)

Review-Url: https://codereview.chromium.org/2866063003 .
Cr-Commit-Position: refs/branch-heads/3071@{#461}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/BUILD.gn
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/internal/parse_name.cc
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/internal/parse_name_unittest.cc
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/cert/x509_certificate_unittest.cc
[add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string.pem
[add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_1-32.pem
[add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_126-160.pem
[add] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/subject_t61string_actual.pem
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/data/parse_certificate_unittest/v3_certificate_template.txt
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/test/test_data_directory.cc
[modify] https://crrev.com/8a4fb425dc1e081b5942975f0d1c852aae2819e6/net/test/test_data_directory.h

Status: Fixed
Fix is in current canary, and should go out in next dev and beta builds as well.
Comment 20 Deleted
Labels: TE-Verified-59.0.3071.47 TE-Verified-59
As per the duped  Issue 715969  in C#17, I was able to repro on the reported version(59.0.3071.25). This now works fine on the latest M-59(59.0.3071.47) on Mac OS 10.12.4. Hence adding the TE- Verified label
Sign in to add a comment