Client auth only sending client certificate, not sending intermediate CA certificates

I was trying to figure why some of the uses were not having a chain sent =
to the server for their client certificate, and it turns out Firefox =
does not send (by default?) the chaining certs.

After reviewing https://wiki.mozilla.org/PSM:CertPrompt , it seems =
Firefox will 'validate' that the client cert can be chained, before =
allowing the user to select it.

Here is a snippet of a diff of the TLS Certificate, Client Key Exchange, =
and Certificate Verify packets of IE and FF. Full packets upon request.

$ diff -u firefox-client-TLS.txt internetExplorer-client-TLS.txt  | less
--- firefox-client-TLS.txt      2015-03-02 16:13:05.918866100 -0500
+++ internetExplorer-client-TLS.txt     2015-03-02 16:05:01.332097100 =
-0500
@@ -1,18 +1,18 @@
 No.     Time                Source                Destination           =
Port   Protocol Length Info
-   3071 2015-03-02 16:09:59 192.168.4.12          67.90.184.200         =
443    TLSv1.2  565    Certificate, Client Key Exchange, Certificate =
Verify
+    836 2015-03-02 16:01:42 192.168.4.12          67.90.184.200         =
443    TLSv1    634    Certificate, Client Key Exchange, Certificate =
Verify

-Frame 3071: 565 bytes on wire (4520 bits), 565 bytes captured (4520 =
bits) on interface 0
+Frame 836: 634 bytes on wire (5072 bits), 634 bytes captured (5072 =
bits) on interface 0
     Interface id: 0 =
(\Device\NPF_{62C9E26B-6677-4CCF-82EC-CD288CDC77D1})
     Encapsulation type: Ethernet (1)
-    Arrival Time: Mar  2, 2015 16:09:59.702193000 Eastern Standard Time
+    Arrival Time: Mar  2, 2015 16:01:42.634780000 Eastern Standard Time
     [Time shift for this packet: 0.000000000 seconds]
-    Epoch Time: 1425330599.702193000 seconds
-    [Time delta from previous captured frame: 0.000054000 seconds]
-    [Time delta from previous displayed frame: 0.000054000 seconds]
-    [Time since reference or first frame: 691.721761000 seconds]
-    Frame Number: 3071
-    Frame Length: 565 bytes (4520 bits)
-    Capture Length: 565 bytes (4520 bits)
+    Epoch Time: 1425330102.634780000 seconds
+    [Time delta from previous captured frame: 0.000022000 seconds]
+    [Time delta from previous displayed frame: 0.000022000 seconds]
+    [Time since reference or first frame: 194.654348000 seconds]
+    Frame Number: 836
+    Frame Length: 634 bytes (5072 bits)
+    Capture Length: 634 bytes (5072 bits)
     [Frame is marked: False]
     [Frame is ignored: False]
     [Protocols in frame [truncated]: =
eth:ethertype:ip:tcp:ssl:pkcs-1:x509sat:x509sat:x509sat:x509sat:x509sat:x=
509sat:x509sat:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:x509ce:x509c=
e:x509ce:x509ce:pkix1implicit:x509ce:x509sat:x509ce:x509sat:x]
<snip/>
 Secure Sockets Layer
-    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake =
Messages
+    TLSv1 Record Layer: Handshake Protocol: Multiple Handshake Messages
         Content Type: Handshake (22)
-        Version: TLS 1.2 (0x0303)
-        Length: 1691
+        Version: TLS 1.0 (0x0301)
+        Length: 3052
         Handshake Protocol: Certificate
             Handshake Type: Certificate (11)
-            Length: 1289
-            Certificates Length: 1286
-            Certificates (1286 bytes)
+            Length: 2652
+            Certificates Length: 2649
+            Certificates (2649 bytes)
                 Certificate Length: 1283
                 Certificate =
(id-at-commonName=3DPYERON.JASON.J.1291147719,id-at-organizationalUnitNam=
e=3DCONTRACTOR,id-at-organizationalUnitName=3DPKI,id-at-organizationalUni=
tName=3DDoD,id-at-organizationName=3DU.S. =
Government,id-at-countryName=3DUS)
                     signedCertificate
@@ -250,69 +251,218 @@
                         Algorithm Id: 1.2.840.113549.1.1.5 =
(shaWithRSAEncryption)
                     Padding: 0
                     encrypted: =
94d7842ef98ac9f4a525eef75e01a2d6fc739ca4310504db...
+                Certificate Length: 1360
+                Certificate (id-at-commonName=3DDOD =
CA-32,id-at-organizationalUnitName=3DPKI,id-at-organizationalUnitName=3DD=
oD,id-at-organizationName=3DU.S. Government,id-at-countryName=3DUS)
+                    signedCertificate
+                        version: v3 (2)
+                        serialNumber: 929
+                        signature (shaWithRSAEncryption)
+                            Algorithm Id: 1.2.840.113549.1.1.5 =
(shaWithRSAEncryption)
+                        issuer: rdnSequence (0)
+                            rdnSequence: 5 items =
(id-at-commonName=3DDoD Root CA =
2,id-at-organizationalUnitName=3DPKI,id-at-organizationalUnitName=3DDoD,i=
d-at-organizationName=3DU.S. Government,id-at-countryName=3DUS)


Note the inclusion of the DOD CA-32 certificate on IE.

This is from FF 36.0.

If this is a bug, I will file a ticket on Bugzilla, but I am assuming it =
is a configuration issue, likely PEBKAC.

--
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
This message is copyright PD Inc, subject to license 20080407P00.

0
Jason
3/2/2015 9:38:20 PM
mozilla.support.firefox 24319 articles. 10 followers. Post Follow

2 Replies
1192 Views

Similar Articles

[PageSpeed] 33

In <news:mailman.269.1425340319.4168.support-firefox@lists.mozilla.org>,
"Jason Pyeron" <jpyeron@pdinc.us> wrote:

> I was trying to figure why some of the uses were not having a chain
> sent to the server for their client certificate, and it turns out
> Firefox does not send (by default?) the chaining certs.
> 
> After reviewing https://wiki.mozilla.org/PSM:CertPrompt , it seems
> Firefox will 'validate' that the client cert can be chained, before
> allowing the user to select it.

Maybe there's someone here who can help, but if not, I'd take it to the
dev-tech-crypto list,
<https://lists.mozilla.org/listinfo/dev-tech-crypto>.
0
UTF
3/3/2015 4:43:01 AM
> -----Original Message-----
> From: >Q<
> Sent: Monday, March 02, 2015 23:43
>=20
> In =
<news:mailman.269.1425340319.4168.support-firefox@lists.mozilla.org>, =
"Jason Pyeron" wrote:
>=20
> > I was trying to figure why some of the uses were not having a chain
> > sent to the server for their client certificate, and it turns out
> > Firefox does not send (by default?) the chaining certs.
> >=20
> > After reviewing https://wiki.mozilla.org/PSM:CertPrompt , it seems
> > Firefox will 'validate' that the client cert can be chained, before
> > allowing the user to select it.
>=20
> Maybe there's someone here who can help, but if not, I'd take=20
> it to the dev-tech-crypto list, =
<https://lists.mozilla.org/listinfo/dev-tech-crypto>.

Thanks, moved to that list. =
https://groups.google.com/d/msg/mozilla.dev.tech.crypto/G60pUhIOBxU/s8ddp=
_U7csgJ

--
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
This message is copyright PD Inc, subject to license 20080407P00.=20

2
Jason
3/3/2015 2:01:00 PM
Reply:

Similar Artilces:

Firefox only send client certificates signed with the same CA of server CRT
--0-1389623611-1131581349=:27427 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit I have: Two CA certificates. (CA1 , CA2) (not well known CA) One client certificate of CA1. Ask option enabled. If a http server have a certificate of CA1, mozilla send client certificate. If a http server have a certificate of CA2, mozilla do not send client certificate. Why ? --------------------------------- Correo Yahoo! Comprueba qu� es nuevo, aqu� http://correo.yahoo.es --0-1389623611-1131581349=:27427 Content-T...

Client authentication cores the VM if the client does not send any certificates
Has anybody else seen or be able to reproduce this. Using JSS, if you create an SSLServerSocket with need or want client auth set to true, and you attempt a handshake with a client that does not send a client certificate, JSS throws some native exception that brings down the VM. Thread: main (priority 5) (LOCATION OF ERROR) NATIVE org/mozilla/jss/ssl/SSLSocket.socketRead([BIII)I 0000003c org/mozilla/jss/ssl/SSLSocket.read([BII)I 00000007 org/mozilla/jss/ssl/SSLInputStream.read([BII)I 00000005 org/mozilla/jss/ssl/SSLInputStream.read([B)I 000000d8 jss/SimpleJSSServer.run()V ...

Using client certificates: "Require client certificates" is enabled on IIS
 Hey world, I have an application that works fine using SSL, but when I enable  "Require client certificates" on IIS it prompts the client for a certificate (behavior kind of expected) but I can't figure out how to create a "Client Certificate" so the client can access the application. I followed step by step this article with no luck:http://support.microsoft.com/kb/901183 (the WinHttpCertCfg.exe –i PfxFile -c LOCAL_MACHINE\MY -p Password  line just wouldn't work) I created a certificate on my test web server using "SelfSSL" and then I exported it as an .P...

client authentication with client certificate
Dear community, The need: for synchronizing data we need strong client authentication, especially with client certificate. A way: There is a way to implement an authentication mechanism (" ...or you can implement your own custom user authentication mechanism"), but develop handling certificates is not a simple task. Question: ist there an other way for the authentication via certificate ? Thanks in advance, Michel Michel wrote: > Dear community, > > The need: > for synchronizing data we need strong client authentication, > especially with ...

How to build a delphi web service client sending a digital certificate
Hi All, I am a new user of web services in delphi, so i don´t know well. I am needing now to make a delphi client application using Delphi XE2 to consume a java web service and a digital certificate is required. I don´t know how can i attach a certificate on a soap request. Can someone tell me how to do it? What components to use, and how properts to set? I´m a beginner in this subject and some sample or document will be very helpfull. If someone tell me a Link or a place to find this information will be very helpfull too. Before everything, thank you for help Thanks, an...

how to send certificate.txt to certification authority?
hello every body....if we want to make https, we must obtain certificate..i have fill data in server certificate and save as certificate.txt. but it told to send to your certification authority. i don't know where web i must send?mu iis is version 5.1 thx..   Unless you have a certificate server in your network, you either send it to a certification authority such as Thawte or Network Solutions, and pay for it, or you use something like selfcert from the IIS resource kit.  See www...

Add client certificate to firefox
--20cf3054a4f79c32c2049557b6ba Content-Type: text/plain; charset=ISO-8859-1 I want to add a client certificate to a firefox profile using JSS. I have a p12 file with no password on it and am trying to import it like so: CryptoManager.initialize(profileDirectory); CryptoManager cm = CryptoManager.getInstance(); cm.importCACertPackage(certificateFileAsByteArray); This gives me the error: java.security.cert.CertificateEncodingException: CERT_ImportCAChainTrusted returned an error: (-8183) security library: improperly formatted DER-encoded message. Which sounds like the file ...

cannot send from 6.5 client crashes GW client
The pc I am working on cannot send mail. (It can receive fine.) When you try to reply or send the client crashes and we get the Microsoft standard error message comes up. Using another pc the client sends fine (with the problem account.) I have removed the client, deleted the caching folder reviewed the registry and deleted what I could find related to groupwise and reinstalled the latest client and the same problem occured. I ran msconfig and select disable all startup options and the same problem occured. peter, try again, this time remove the GW client remove Windows Mess...

Client can only send mail to client in is adress book
Hi all, i have install Groupwise client on my workstation. I have two Groupwise Netware domain, i can send mail to all my novell users, but when i try to send mail to a internet client (blablabla@yahoo.com) They tell me this user is not in my adress book and i cannot send the mail... Where i can tell to my client to over pass this setting? Thank for your help Francis, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the fol...

superreview requested: [Bug 341708] selfserv is sometimes silent when client aborts handshake in client key exchange : [Attachment 227343] make client send "illegal parameter" alert after key derivati
Julien Pierre <julien.pierre.bugs@sun.com> has asked Wan-Teh Chang <wtchang@redhat.com> for superreview: Bug 341708: selfserv is sometimes silent when client aborts handshake in client key exchange https://bugzilla.mozilla.org/show_bug.cgi?id=341708 Attachment 227343: make client send "illegal parameter" alert after key derivation error https://bugzilla.mozilla.org/attachment.cgi?id=227343&action=edit ------- Additional Comments from Julien Pierre <julien.pierre.bugs@sun.com> Wan-Teh, Since this didn't get checked in to NSS_3_11_BRANCH yet, I...

superreview granted: [Bug 341708] selfserv is sometimes silent when client aborts handshake in client key exchange : [Attachment 227343] make client send "illegal parameter" alert after key derivation
Wan-Teh Chang <wtchang@redhat.com> has granted Julien Pierre <julien.pierre.bugs@sun.com>'s request for superreview: Bug 341708: selfserv is sometimes silent when client aborts handshake in client key exchange https://bugzilla.mozilla.org/show_bug.cgi?id=341708 Attachment 227343: make client send "illegal parameter" alert after key derivation error https://bugzilla.mozilla.org/attachment.cgi?id=227343&action=edit ------- Additional Comments from Wan-Teh Chang <wtchang@redhat.com> r=wtc. But I have a question: why is illegal_parameter the right ...

Client Certificates
Hi, I need some help. I have x clients, and I need that they have a client certificate (access to web administration). The question is... Can I insert an ID of the client (from my DataBase) into the Client Certificate, and How can I get this info with .NET???? Thanks for All!!!! Short answer: Yes Looong answer: Sure you can, since the certificate is made up of several different fields you could use any of them to store your id, if you're using X509v3 certificates you can even insert a custom field called for example 'ClientID' or anything you choose. What you need to thin...

Client certificate
Hi there, We are using client certificate. Does Jaguar provide a way to retrieve client certificate info? Thanks Yes, please see the CtsSecurity/UserInfo component and IDL module for more information. Dave Wolf Internet Applications Division Jim wrote: > Hi there, > We are using client certificate. Does Jaguar provide a way to retrieve > client certificate info? > > Thanks ...

Web resources about - Client auth only sending client certificate, not sending intermediate CA certificates - mozilla.support.firefox

Puget Sound Naval Shipyard and Intermediate Maintenance Facility - Wikipedia, the free encyclopedia
Four decommissioned aircraft carriers docked at the shipyard. From left: Independence , Kitty Hawk , Constellation , and Ranger . 47°33′31″N ...

Vocab List Intermediate - Chinese on the App Store on iTunes
Get Vocab List Intermediate - Chinese on the App Store. See screenshots and ratings, and read customer reviews.

Intermediate Power - Flickr - Photo Sharing!
AL-55I engine for the Indian HAL HJT-36 'Sitara' (Star) jet trainer aircraft. UEC, Defexpo 2014

YouTube - Returns to Scale Overview - Definition & Discussion - Intermediate Macroeconomics
Veröffentlicht am 22.10.2012 We discuss returns to scale (applied to an intermediate macroeconomics course). Covering increasing returns to ...

Grammar Expert : English Grammar Intermediate
Holen Sie sich „Grammar Expert : English Grammar Intermediate“ im App Store. Sehen Sie sich Screenshots, Bewertungen und Kundenrezensionen dazu ...

SpaceX wins intermediate victory over US in launch contract case
SpaceX The United States government has lost its bid to toss SpaceX's lawsuit over lucrative national security-related launch contracts. In ...

BBC NEWS - Business - Market Data - Commodities - LIFFE Ice Euro Exchange ICEEUR - West Texas Intermediate ...
... News market data service covers more than 20,000 global financial instruments: Commodities - LIFFE Ice Euro Exchange ICEEUR - West Texas Intermediate ...

International Business Machines Corp. (IBM) Stock May Increase To $195 In Intermediate Term: Barron’s ...
Bidness Etc looks into Barron's analysis of IBM's (NYSE:IBM) overall performance in the last few years.

West Texas Intermediate crude oil prices drop below $40, Brent nearing $45 - Houston Business Journal ...
And for the first time in 29 years, West Texas Intermediate is on its way to its eighth-consecutive weekly loss.

Pro Food Photography On the Fly (Intermediate/Advanced)
&nbsp;You know how to do things right and take every step from scratch, but don’t always feel like you can spare the time. Learn how to triage ...

Resources last updated: 12/25/2015 3:04:21 AM