Pomoc přepytać

Hladajće so wobšudstwa pomocy. Njenamołwimy was ženje, telefonowe čisło zawołać, SMS pósłać abo wosobinske informacije přeradźić. Prošu zdźělće podhladnu aktiwitu z pomocu nastajenja „Znjewužiwanje zdźělić“.

Dalše informacije

pkcs11 certificate only accessible when open certmanager

  • 2 wotmołwje
  • 2 matej tutón problem
  • 3 napohlady
  • Poslednja wotmołwa wot tbaehler

more options

I've added a pkcs11 library. And try to access a https site with client authentication.

If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.

If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

I've added a pkcs11 library. And try to access a https site with client authentication. If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails. If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

Wšě wotmołwy (2)

more options

HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

more options

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).


There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.