1

I'm having trouble determining why Firefox is not applying client certificate authentification in a particular situation.

I have a self-signed client certificate issued for a specific site (nginx mutual TLS) that works when accessing the site using Chrome and when testing with curl, and the same certificate in .p12 format is imported in Firefox Certificate Manager / Your Certificates; however, Firefox simply gets refused authentification by the site as it does not send the certificate, does not prompt for anything, does not show any errors and does not show any log or comments about the process, at least not where I could find - for example, the Firefox Network tab Security section shows information about the LetsEncrypt server certificate, but nothing about the client certificate request.

Is there some reasonable way to debug the client certificate authentification process in Firefox to review what is happening during the TLS handshake and analyse the problem? The preferences section in Firefox does not seem to have any relevant options other than the certificate manager.

Peteris
  • 131
  • 1
  • 4
  • Could you add the nginx virtualhost configuration ? Is there the "ssl_verify_client on;" active ? Firefox will not send anything if the certificate is not requested by the server. Look at the console in Firefox too (F12) : you may see some errors – Dom Mar 23 '21 at 20:56
  • @Dom sadly I don't have access to that server config at the moment; however, the curl test succeeds iff the cert is supplied and the verbose output of curl includes `TLSv1.2 (IN), TLS handshake, Request CERT (13):` at the initial server response so I presume the certificate does get requested by the server. The firefox console just shows the 403 responses for the site and its favicon. – Peteris Mar 23 '21 at 21:51

0 Answers0