搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

pkcs11 certificate only accessible when open certmanager

  • 2 回覆
  • 2 有這個問題
  • 3 次檢視
  • 最近回覆由 tbaehler

more options

I've added a pkcs11 library. And try to access a https site with client authentication.

If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.

If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

I've added a pkcs11 library. And try to access a https site with client authentication. If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails. If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

所有回覆 (2)

more options

HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

more options

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).


There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.