X
Tippen Sie hierhin, um die Version dieser Website für Mobilgeräte aufzurufen.
Scheduled maintenance: Thursday, April 2, between 3pm and 5pm UTC. This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn’t solve your issue and you want to ask a question, we have our support community waiting to help you at @firefox on Twitter

Hilfeforum

client certificate on smartcard leads to SEC_ERROR_LIBRARY_FAILURE

Veröffentlicht

SSL client certificates do not work on Firefox 74.0 64-bit (Windows 10) and smartcards as expected. The smartcard gets accessed via PKCS #11 library.

When the client certificate is placed into the software security module, Firefox can send it to the requesting web server and it works as expected.

Once the very same certificate was successfully imported into a smartcard and removed from the software security module, authentication fails in Firefox with "SEC_ERROR_LIBRARY_FAILURE". The nginx web server reports: SSL_do_handshake() failed (SSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:SSL alert number 80) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

When using Chrome, the same client certificate from the same smartcard gets used and successfully connects to the web server.

Is there a known issue for this? How can this problem be narrowed down? Is there some kind of debug log file to get further information?

SSL client certificates do not work on Firefox 74.0 64-bit (Windows 10) and smartcards as expected. The smartcard gets accessed via PKCS #11 library. When the client certificate is placed into the software security module, Firefox can send it to the requesting web server and it works as expected. Once the very same certificate was successfully imported into a smartcard and removed from the software security module, authentication fails in Firefox with "SEC_ERROR_LIBRARY_FAILURE". The nginx web server reports: SSL_do_handshake() failed (SSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:SSL alert number 80) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443 When using Chrome, the same client certificate from the same smartcard gets used and successfully connects to the web server. Is there a known issue for this? How can this problem be narrowed down? Is there some kind of debug log file to get further information?
Zitieren

Mehr Details zum System

Anwendung

  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0

Weitere Informationen

Roland Tanglao
  • Administrator
77 Lösungen 847 Antworten
Veröffentlicht

Hi 0xFF

This is beyond my skill level :-) I searched for a bug but couldn't find one. Here's my search, maybe you'll find a bug that's similar but I didn't see one:

https://mzl.la/2Ui40hk

Anyhow please file a bug:

https://bugzilla.mozilla.org/enter_bug.cgi

Cheers!

...Roland

Hi 0xFF This is beyond my skill level :-) I searched for a bug but couldn't find one. Here's my search, maybe you'll find a bug that's similar but I didn't see one: https://mzl.la/2Ui40hk Anyhow please file a bug: https://bugzilla.mozilla.org/enter_bug.cgi Cheers! ...Roland
Hat Ihnen das weitergeholfen?
Zitieren
dkeeler 0 Lösungen 8 Antworten
Veröffentlicht

Instead of loading your PKCS#11 module, can you enable osclientcerts by setting `security.osclientcerts.autoload` to `true` in about:config?

Instead of loading your PKCS#11 module, can you enable osclientcerts by setting `security.osclientcerts.autoload` to `true` in about:config?
Hat Ihnen das weitergeholfen?
Zitieren
Roland Tanglao
  • Administrator
77 Lösungen 847 Antworten
Veröffentlicht

Hi 0xFF:

To use that pref you will have to use Firefox 75 beta (security.osclientcerts.autoload is in 75 but not in 74)

Cheers! ...Roland

Hi 0xFF: To use that pref you will have to use Firefox 75 beta ('''security.osclientcerts.autoload''' is in 75 but not in 74) Cheers! ...Roland
Hat Ihnen das weitergeholfen?
Zitieren
cor-el
  • Top 10 Contributor
  • Moderator
17856 Lösungen 161585 Antworten
Veröffentlicht

^To use that pref you will have to use Firefox 75 beta

I think that for Windows this pref got added in Firefox 72 and 68.4 ESR, so this should work with the current release. For Mac it got added in Firefox 75.

  • 1584401 - build osclientcerts in-tree (windows) [72]
  • 1586915 - build osclientcerts in-tree (macos) [75]
^To use that pref you will have to use Firefox 75 beta I think that for Windows this pref got added in Firefox 72 and 68.4 ESR, so this should work with the current release. For Mac it got added in Firefox 75. *1584401 - build osclientcerts in-tree (windows) [72] *1586915 - build osclientcerts in-tree (macos) [75]
Hat Ihnen das weitergeholfen?
Zitieren
Stellen Sie eine Frage

Sie müssen sich mit Ihrem Benutzerkonto anmelden, um auf Beiträge zu antworten. Bitte stellen Sie eine neue Frage, wenn Sie noch kein Benutzerkonto haben.