PSM:CertPrompt

IE Current Usage

After restarting IE, it will always prompt for a certificate, even if no certificate is valid. ?IE lists all the user certificates without reguard to the certificate list presented to it?. Once IE has a cert selected for the site (or the user as selected no certificate for the site), IE will always use that certificate (or lack of certificate) for that site. The only way to change that is to use the button to clear IE's SSL cert cache. IE will prompt the user even if there is no valid certificate available.

PSM Current Usage

PSM has 2 modes in certificate selection: 1) ask every time. 2) select automatically.

SSL sends a list of CA certificates that are acceptable for Client Authentication. Most HTTP servers build this list automatically whenever that server has CA Certificates which are configured to validate user certificates.

If select automatically is set, PSM will find all the unexpired user certificates, and filter out those certificates which do not chain to one of the certs in the CA list. The first cert in the list for which the user has a valid private key is selected. If no certs survive the sort, no certificate is sent.

If 'ask every time' is set, PSM will find all the user certs (expired and unexpired), and filter that list for certs in the CA list. If no certs are found, then no certificate is sent and the user is not prompted. If any certificates are found (even just one), the user is prompted to select a certificate. The user has to option of selecting no certificate, in which case no certificate is sent.

Note that PSM goes through this everytime a full SSL handshake with request or require client auth is sent.

Server Action on When NoCertificate

If the requested certificate is not present, and the server did an SSL require certificate, the connection will fail. If the requested certificate is not present and the server did a 'request but not require certificate', the SSL connection will complete and the server CGI's will be presented with and empty certificate.

Basic Client Authentication: The client has exactly one certificate installed and it matches with the CA list sent to the user.

This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. The user may refuse to use the cert (in which case no cert is sent). Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. The user may refuse the cert, in which case no cert is sent. IE will always use that certificate to authenticate, even if the ssl session id is cleared, until the user closes IE or hits the 'Clear SSL Cache' button.

Client Authentication with no Certificate: The client has not client auth certificates.

This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate and no prompt will be displayed to the user. If the server required client authentication, a connection error will be presented. If the server only requested client auth, the SSL connection completes and the server can present either an appropriate error, or request some sort of alternate authentication. PSM will not check for the existance of a new certificate unless the ssl session id is cleared. EI will always present an empty dialog. Once the user clicks 'cancel', EI will always present no certificate to the server, even if a new certificate appears and the server clears the ssl session id.

SmartCard Client Authenticate: The same as basic authentication except the one certificate lives in a smartCard that can be removed.

If the smartCard is present, any initial connection will operate just like "Basic Client Authentication" above. If the smartCard is removed, then PSM will clear the ssl session id, so future ssl connections will operate as if the smartCard is not present. In addition PSM can send a smartcard removal event to the webpage, which can be handled in javascript to reload the page. This allows automatic logout symantics. For IE, smartCard removal will not trigger any clearing of ssl session id, or change IE's cached notion of what certificate to use. The former has the effect of keeping the user logged in even if the card has been removed. Only clicking on the 'Clear SSL cache' button clear IE's session id and it's idea of what cert to use to authenticate. If the server clears the session id, and the smartCard has been removed IE will prompt for the smartCard to be reinserted.

If the smartCard is not present, the initial connection will operate just like "Client Authentication with no Certificate" above. If the smartCard is later inserted, PSM can send a smartCard insertion event to the web page. In this case the server will have to clear the ssl session id as PSM does not yet provide a way to do it. If the ssl session id is cleared and the page redrawn, PSM will operate again like "Basic Client Authentication". In the IE case, a later smartCard insertion will not trigger any new redraw, nor will IE reprompt the user if the ssl session id is cleared. The user will have to manually click the 'Clear SSL cache' button and manual reload the page.

More than one certificate, only one is valid: The client has more than one certificate, but only one matches the CA list.

PSM treats this exactly the same as one certificate. Only the matching certificate is placed in any prompts. In IE all certificates are placed in the initial prompt and the user has to figure out which certificate is valid.

SmartCard Authentication with multiple certs, only one valid: The client has more than one certificate, the one valid certificate lives on the smartCard.

In PSM, this is exactly like the "SmartCard Client Authentication" case.*

In IE, if the smartCard is not inserted, the user is presented with the list of certificates which do not mach the CA list sent by the server. The user can select from the list, or select none of the certs. IE remembers this choice even after the smartCard is inserted. The user will have to click the 'Clear SSL Cache' button to be able to authenticate with the smartCard.

• This needs to be verified. A code review of PSM seems to indicate this is the case, but there has been some reports that if 'ask every is set', very different things happen.

More than one certificate is valid: The client has multiple certificates that are valid (matches the CA list).

This can happen either because the user has overlapping valid certificates (the user has renewed a certificate before it has actually expired), or the user has multiple certificates associated with different roles on the server.

In this case if 'Select automatically' is sent in PSM, PSM will select the 'most appropriate certificate'. In the case where different roles may be associated with the different certificates, PSM may or may not pick the correct certificate (as it has no information about what role the user wishes to use). If 'Ask Every' is set, PSM will present a dialog with all the certs which match the CA list, including expired certs.

IE treats this case the same as "More than one certificate, only one is valid".

Client has expired certificate: The client has certificates which are expired, but match the CA.

This scenario typically happens if either 1) the user lets his certificate laps, or 2) in the renewal case. In PSM only unexpired certificates that match the CA are used in the 'Select automatically' case. If there are no unexpired certificates, PSM sends no certificates. In the 'Ask every' case expired certificates are listed at the end and marked expired. IE lists all certificates, expired or not.

Multiple certificates, none match: The client has multiple certificates, but none match the server list. This can be because 1) the client has never been registered with the server and cannot authenticate to the it, or 2) the server does not include a complete list of CA in it's CA list, or the CA list is incorrectly configured.

PSM treates the same as "Client Authentication with no Certificates".

Since IE does not filter the CA list, IE treats this case the same as "More than one certificate, only one is valid".

The interaction between clients and servers with failed SSL connections is currently poor in both IE and pre-Firefox 1.5 (Firefox 1.5 needs additional testing here). In addition is very difficult to set up any SSL server such that it does not create failes SSL connections when doing client auth.

When the SSL connection fails, there is no communication channel between the client and the server. Sometimes clients will get and error code, or an SSL alert, but most often they just quick loading the page, giving the user no information about the failure. Because there is no connection, the normal server methods of redirecting the user to an error page does not work.

The SSL connection can fail in the client authentication case for the following reasons:

• The client sent to certificate in the case where SSL issued a 'Require client auth' connection.
• The client sent a certificate that the server things is expired (either because the certificate is expired, or the servers clock is set incorrectly).
• The client sent a certificate that does not chain to any of the CA's trusted for client authentication.
• The client certificate can not validate for other reasons (missing extensions, key usages, policy, signature is bad, etc).

Fortuntely, if the server is talking to existing Firefox clients, and the server is configured correctly (with the correct time), and the server is configured to 'Request not require' client auth, then SSL connection failures become fairly rare, and only exist if 1) the client cert has been corrupted, or 2) the client cert is expired and the user's clock is set incorrectly. While these cases are rare, they should still fail in a graceful way that gives the user a hint at what the problem might be.

Apache has an option to override client certificate verification to help debug setting up client auth connections, but it does not have an option to validiate the certificate and redirect if the certificate validation fails.

It's clear there needs to be some server UI work to make configuring client authentication for the server side much easier.