desktop icon indicating copy to clipboard operation
desktop copied to clipboard
Published 12 hours ago verified publisher icon zen-browser

Authentication on sites via a certificate (such as a Smart Card) broken on macOS since 1.10b

Open chopstix2594 opened this issue 9 months ago • 15 comments

Captchas

  • [x] I have read the instructions.
  • [x] I have searched existing issues and avoided creating duplicates.
  • [x] I am not filing an enhancement request.
  • [x] I have checked that this issue cannot be reproduced on Mozilla Firefox.
  • [x] I have checked that this issue can be reproduced once I removed all my Mods and Custom CSS.

What happened?

Smart Card authentication seems to have stopped working in 1.10b, and remains nonfunctional in 1.10.3.b. Reverting to 1.9.1b fixed the issue, and it also functions properly on Firefox 136.0.4.

The following message is displayed, when in previous versions or Firefox the prompt for the Smart Card PIN would appear:

Secure Connection Failed

An error occurred during a connection to . SSL peer was unable to negotiate an acceptable set of security parameters.

Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

Learn more…

Version

1.10.3b

What platform are you seeing the problem on?

macOS - aarch64

What component is this issue related to?

Security

Relevant log output if applicable

chopstix2594 avatar Mar 31 '25 16:03 chopstix2594

Hi there! I’m experiencing what appears to be the same issue, but on Linux (Fedora Workstation 41) using the Flatpak version. I’m trying to use a YubiKey 5 NFC configured with a digital certificate (Spanish government-issued .p12, imported via OpenSC into the PIV slot). The PKCS#11 module (opensc-pkcs11.so) is correctly loaded and visible in the browser via: Settings → Privacy & Security → Security Devices.

The module shows up fine, but the “Log In” button is always greyed out, making it impossible to authenticate or view the certificate.

The .so file is fully accessible inside the Flatpak sandbox (~/.pkcs11/opensc-pkcs11.so) and Flatpak has full permissions (flatpak override app.zen_browser.zen --device=all --filesystem=$HOME/.pkcs11:ro --talk-name=org.freedesktop.pcsc-lite). pcscd is running and correctly detects the YubiKey (using opensc-tool -l for example), and the same PKCS#11 setup works perfectly in Firefox. This strongly suggests the problem lies in how Zen Browser handles the PKCS#11 login process (either a regression or missing some NSS support).

If helpful, I can share my profile config, modutil outputs or any specific logs you guys need. Thanks in advance, and let me know if I can help with any debugging.

CarlosML27 avatar Apr 09 '25 14:04 CarlosML27

I am seeing this too on 1.12.1b (Firefox 138.0.1) (aarch64). Bummer too, because needed for work

steve28 avatar May 05 '25 19:05 steve28

Hi, @chopstix2594. I'm Dosu, and I'm helping the desktop team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • The issue involves Smart Card authentication problems on macOS since version 1.10b, persisting through 1.10.3b.
  • Users encounter an "SSL_ERROR_HANDSHAKE_FAILURE_ALERT" instead of the Smart Card PIN prompt.
  • CarlosML27 reports a similar issue on Linux (Fedora Workstation 41) with a YubiKey 5 NFC, where the "Log In" button is inactive.
  • Steve28 confirms the issue on version 1.12.1b, indicating a broader impact across systems and versions.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of the desktop repository by commenting on this issue.
  • If there is no further activity, this issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Jun 05 '25 16:06 dosubot[bot]

This issue is still relevant and 1.12.10b is affected

I've tested it with Nexus Smart ID, either with a physical and virtual Smart Card.

Physical:

  • Card reader: Gemalto USB SmartCard Reader
  • Smart card: CardOS V5.3

Virtual:

  • basically certificates, but the Smart ID App exposes them as a Smart Card to the system

shokinn avatar Jun 11 '25 05:06 shokinn

Hi, @chopstix2594. I'm Dosu, and I'm helping the desktop team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • The issue involves Smart Card authentication failures on macOS starting from version 1.10b.
  • Similar problems have been reported on Linux and other versions by @CarlosML27 and @steve28.
  • @shokinn confirmed the issue persists in version 1.12.10b, affecting both physical and virtual Smart Cards.
  • The issue remains unresolved and has been marked as stale for further confirmation.

Next Steps:

  • Please confirm if this issue is still relevant to the latest version of the desktop repository by commenting here.
  • If no further updates are provided, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Jul 12 '25 16:07 dosubot[bot]

The issue still persists in 1.14.5b.

shokinn avatar Jul 16 '25 06:07 shokinn

Hi, @chopstix2594. I'm Dosu, and I'm helping the desktop team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You reported that Smart Card authentication on macOS (aarch64) stopped working starting with version 1.10b and continues to fail through 1.14.5b with an "SSL_ERROR_HANDSHAKE_FAILURE_ALERT."
  • Other users on different platforms (Linux Flatpak, aarch64) have confirmed similar authentication failures, suggesting a broader cross-platform issue.
  • Attempts to gather additional information and confirmations have been made, but the root cause remains unresolved.
  • The issue has been inactive recently and I previously marked it stale.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of the desktop repository by commenting here to keep the discussion open.
  • If I do not hear back within 7 days, I will automatically close this issue.

Thank you for your understanding and contribution!

dosubot[bot] avatar Aug 16 '25 16:08 dosubot[bot]

1.14.11b — issue is present

evevseev avatar Aug 17 '25 20:08 evevseev

I am currently experiencing this issue on MacOS with version 1.15t, but not Windows with 1.15t.

Surrylic avatar Aug 18 '25 15:08 Surrylic

I currently am experiencing this issue on Fedora 42, Zen Version 1.15.5b.

samwick07 avatar Sep 09 '25 16:09 samwick07

I can also confirm that I'm running into this issue on Fedora Workstation 42, Zen version 1.15.5b, with the Flatpak package. I'm using a Yubikey Security Key C NFC.

kmandarin-orange avatar Sep 10 '25 17:09 kmandarin-orange

Can confirm I’m running into this issue with version 1.15.5b flatpak and AppImage versions on Ubuntu 24.04, Project Bluefin, Bazzite, and RHEL 9.6. I’m using a smart card.

mfx00 avatar Sep 15 '25 01:09 mfx00

1.16.4b — no change.

Interestingly, when I build the application locally by following the steps in the contribution guide, it works as expected.

evevseev avatar Oct 15 '25 17:10 evevseev

Weird - I see the same thing. When building the application myself the smart card authentication works properly.

Surrylic avatar Oct 16 '25 16:10 Surrylic