最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

javascript - Cross-domain SSL handshake failure in Firefox using xhr, client-certificate - Stack Overflow

programmeradmin2浏览0评论

The setup is as follows:

  • Firefox (both 3.x and 4b) with properly set up and working certificates, including a client certificate.
  • Web page with an XMLHttpRequest() type of AJAX call to a different subdomain.
  • Custom web server in said subdomain accepting requests, reponding with a permissive Access-Control-Allow-Origin header and requiring client verification.

The problem is that Firefox aborts the request (well, that's what it says in firebug anyway) abruptly. Running the setup with openssl s_server instead hints that Firefox actually doesn't even send the client certificate:

140727260153512:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:2965:ACCEPT

The same exact setup works perfectly with Chrome, suggesting perhaps a bug in Firefox. However, performing the ajax call with a <script> element injected into the DOM seems to work as intended...

So, has anyone else run into this? Is it a bug? Any workarounds? Is there something obvious missing?

The setup is as follows:

  • Firefox (both 3.x and 4b) with properly set up and working certificates, including a client certificate.
  • Web page with an XMLHttpRequest() type of AJAX call to a different subdomain.
  • Custom web server in said subdomain accepting requests, reponding with a permissive Access-Control-Allow-Origin header and requiring client verification.

The problem is that Firefox aborts the request (well, that's what it says in firebug anyway) abruptly. Running the setup with openssl s_server instead hints that Firefox actually doesn't even send the client certificate:

140727260153512:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate:s3_srvr.c:2965:ACCEPT

The same exact setup works perfectly with Chrome, suggesting perhaps a bug in Firefox. However, performing the ajax call with a <script> element injected into the DOM seems to work as intended...

So, has anyone else run into this? Is it a bug? Any workarounds? Is there something obvious missing?

Share Improve this question edited Mar 16, 2011 at 11:23 nnevala asked Nov 24, 2010 at 13:40 nnevalannevala 5,9972 gold badges21 silver badges13 bronze badges 3
  • A workaround could be to use the opensource Forge project: github./digitalbazaar/forge/blob/master/README – dlongley Commented Nov 30, 2010 at 21:26
  • Cheers for input. Forge seems pretty neat project, but since it requires Flash it is not applicable here. – nnevala Commented Dec 1, 2010 at 12:12
  • As an update, I found this Mozilla article and tried the scenario with a "preflighted" request. Which also fails in a similar fashion. – nnevala Commented Dec 8, 2010 at 13:08
Add a ment  | 

2 Answers 2

Reset to default 6

Chiming in 5 years later probably isn't much help to the OP, but in case someone else has this issue in the future...

Firefox appears to not send the client certificate with a cross-origin XHR request by default. Setting withCredentials=true on the XHR instance resolved the issue for me. Note that I also did not see this problem with Chrome--only Firefox.

For more info see this Mozilla Dev Network blog post. In particular, the following statement:

By default, in cross-site XMLHttpRequest invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object when it is invoked.

The reason injecting the script works as opposed to a simple XHR request is because of the Single Origin Policy. This would probably explain why Chrome allows the XHR but not FF; Chrome considers the subdomain part of the same origin, but FF does not.

Injecting scripts from other domains (which is what Google Analytics does) is allowed and one of the practices to handle this situation.

The way my team handles this situation is by making a request through a server-side proxy.

I would remend using a server-side proxy if you can, but the script injection method works fine as long as the code is ing from a trusted source.

I also found this article which describes your situation.

发布评论

评论列表(0)

  1. 暂无评论