HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).

There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.