Authentucated smartcard user session is terminated immediatedly when card is removed, regardless of httpd SSLSessionCacheTimeout (default 300) setting. Why?
I have installed security device in FF option/advanced tab. Then using smart card to log into my server. The smartcard user is authenticated and secure connection is going smoothly. When the card is removed from the card reader, the connection is immediately terminated, regardless of SSLSessionCacheTimeout settings. Mine is set to 300.
I did same thing with IE, it keeps the connection until the SSLSessionCacheTimeout expires.
It is FF-specific-designed feature? Or I need to do sth specific to FF browser to keep my secure connection based on SSLSessionCacheTimeout setting?
Thanks
Ausgewählte Lösung
Hey SecureDevPaty,
I am wondering if you have installed a cert in the clientside or server side.
- PKCS11 Module installation allow access to smart-card biometric security or external stores. Click that link for more info.
- https://developer.mozilla.org/en-US/d.../JavaScript_crypto
- From the command line you can use the nss tool certutil https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil to manage certs.
I am not an expert in this, but these are the references I found. I *think* after reading about this aal session http://stackoverflow.com/questions/12.../session-disconnect-the-client-after-smart-card-is-removed there is a ssl feature in the about:config page. If you search for ssl, look at the negotiation features. which after rereading the thread we have already done.
I started to read more up on the ssl rules
- http://blog.johnath.com/index.php/200.../security-tidbits/
- http://tools.ietf.org/html/draft-friedl-tls-applayerprotoneg-02
and some rfcs. My question is, the rule for timeout, is this set on the server? with a specific rule in the cert? If this is a cert basis, I would ask stackoverflow.com
Diese Antwort im Kontext lesen 👍 1Alle Antworten (8)
Do you know if it is a prefetch smartcard? http://kb.mozillazine.org/Browser.ssl_override_behavior
Thanks for providing the answer.
I checked my FF. The preference browser.xul.error_pages.enabled is set to true, and browser.ssl_override_behavior is set to 2 as default.
I set browser.ssl_override_behavior to 0 and1 to test my smartcard authentication. I got the same result. Whenever remove the card from reader, the SSL connection is terminated.
There might be other settings for changing this behavior. Please help.
Thanks
Hi SecureDevPaty, If I may ask, what kind of smartcard are you using?
Hi, Guigs2, very appreciate your response, Thank you.
Basically I am using USB plug-in smartcard reader with the card storing private/public key to access my Apache server through browser. The smart card driver I installed to FF security device is read like the followings.
Description: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 Manufacturer: SCM Microsystems Inc., T-Systems International GmbH HW Version: 2.4
Hope these info helps.
Thanks.
Ausgewählte Lösung
Hey SecureDevPaty,
I am wondering if you have installed a cert in the clientside or server side.
- PKCS11 Module installation allow access to smart-card biometric security or external stores. Click that link for more info.
- https://developer.mozilla.org/en-US/d.../JavaScript_crypto
- From the command line you can use the nss tool certutil https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil to manage certs.
I am not an expert in this, but these are the references I found. I *think* after reading about this aal session http://stackoverflow.com/questions/12.../session-disconnect-the-client-after-smart-card-is-removed there is a ssl feature in the about:config page. If you search for ssl, look at the negotiation features. which after rereading the thread we have already done.
I started to read more up on the ssl rules
- http://blog.johnath.com/index.php/200.../security-tidbits/
- http://tools.ietf.org/html/draft-friedl-tls-applayerprotoneg-02
and some rfcs. My question is, the rule for timeout, is this set on the server? with a specific rule in the cert? If this is a cert basis, I would ask stackoverflow.com
Hi guigs2
Really appreciate your replies that contains plenty of info. Will go through them :-)
Yes, I installed security device (smart card module) to firefox, and made cert authentication working with my app server.
The SSLSessionCacheTimeout setting is just for server side httpd config, which suppose to keep SSL session without asking browser (smartcard) private/public keys for period of time. IE's behavior is to keep the SSL session within the timeout. FF just terminates SSL session immediately when card is plugged out of card-reader.
It seems FF terminates SSL session whenever it gets smartcard-remove event. Is there any way to bypass FF event handler?
Hey,
To answer your question: https://developer.mozilla.org/en-US/d.../JavaScript_crypto this link includes how a developer can control the event handlers upon a smartcard removal. These will only work in FIrefox and may be changed in the furture, this only worked in Firefox 21, so this may not be ideal for you.
Web sites can make themselves more SmartCard friendly by listening for SmartCard insertion and removal events. To enable your document to receive these events, you must first tell the crypto system you are interested by setting window.crypto.enableSmartCardEvents to true. You can then register event handlers for these events with the document.addEventListener() method.
Old threads to where this code lives : http://forums.mozillazine.org/viewtopic.php?f=42&t=2708147 I could not find any recent implementations though, it looks like this event is something that happens only serverside?
See also the source code:
Geändert am