Steps to reproduce
Given two servers:
1:Server1 (e.g. website server) protected by TLS, does not use TLS client certificate authentication.
2:Server2 (e.g. authentication server), protected by TLS with client certificate authentication enabled.
And a web browser, tested with IE11 (11.0.37).
The login page for a website hosted on server1 uses script behind a button action: i.e. a login button, to make a TLS client auth/HTTP connection to server2.
IE11 will send the client hello, and the server will reply with the server hello, certificate, and certificate request, server hello done. After the browser receives the server messages, the script will abort with SCRIPT7002, error 0x2ee4.
The TLS connection completes if server2 does not prompt for a client certificate (i.e. the typical CORS case).
IE will properly prompt/send the client certificate if server2’s site is typed into the navigation bar.
What’s interesting to note is that the configuration above will work if server1 and server2 are part of the same URL domain (i.e. the PKI authentication is tied to a location directive within a web server configuration rather than a separate site entirely). In those cases, then TLS client cert auth takes place as a secure renegotiation, and not a separate SSL session.
Comments and activity
This is similar to https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/1282036/, but the expected result of that mixes the TLS and HTTP actions.
- Microsoft Edge Team
Changed Assigned To to “Brad E.”
Changed Assigned To to “Venkat K.”
Changed Assigned To to “Saty B.”
Changed Status to “Won’t fix”