SSL Client autentification failed. Firefox does not open dialog with certificates.
I have problem accessing SSL client auth protected websites.
Security module is succesfully loaded, Login via Security module is OK and I can see certificates from SmartCard in Firefox "Your Certificates" tab. When I navigate to SSL protected website Firefox does not open pop-up certificate dialog with my certificates list and I can't login to website.
I also try not to login via Security module directly and then, when I came to website, Firefox detect SSL client Auth request from website and backend middleware raise pop-up pin dialog. Again, I have logged in successfully into smartcard via middleware, certificates are loaded in "Your certificates" tab but Firefox does not opening certificate dialog.
Middleware is ActivClient 6.2 and Firefox version is 25. I also try with different Firefox/ActivClient version combination but same problem still exists.
Also, Firefox on Linux works ok (combination with Coolkey). I also try Coolkey and Firefox on Windows OS and also working.
Problem exists only with Firefox/ActivClient combination.
Does anybody have solution for this problem?
Modified by fredast
Additional System Details
- Next Generation Java Plug-in 10.45.2 for Mozilla browsers
- NPRuntime Script Plug-in Library for Java(TM) Deploy
- DRM Netscape Network Object
- Npdsplay dll
- DRM Store Netscape Plugin
- User Agent: Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0
I am trying to reproduce this issue and I have a few questions:
- In your option> Advance> Certificates there is an option:"When a server requires my personal certificate"Is this set to "automatic" or "always ask"?
- Are you managing the certificate manually then navigating to the page?
- what version of ssl are the pages using? you can change this manually I believe
* I try both. "Automatic" and "Always ask". "Always ask" option is default and works in other browsers and Firefox on LinuxOS
* No. I navigate to the page->Page request SSL auth->Then I type PIN in ActivClient prompt dialog (automatically displayed when page requests auth)-> My Certificates from SmartCard are automatically displayed in "Your Certificates" Tab.
* It's TLS 1.0
I did some more research on this and it looks like you have to go the about:config page and mess with this setting:
You'll need to enable SSL renegotiation, do this by pointing your browser to about:config. After confirming that you know what you are doing, you need to start typing in:
"security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref set it to true (by double clicking it). " Ref: [http://militarycac.com/firefox.htm]
- see cor-el's post about security
Modified by guigs
It is not recommended to mess with that global security setting, but add trusted hosts instead if you really need to.
See this link for information about 'Renegotiation' (CVE-2009-3555):
You can look at the security.ssl.renego_unrestricted_hosts pref on the about:config page and add the sites that you want to allow to the string value.
Separate multiple host names by a comma.
I've already try playing with those settings. "security.ssl.renego_unrestricted_hosts" was first option that I play with (and some other ssl and network options didn't make me happy)...But, nothing happens...Deffinitely, I think it's not website/webserver problem because this site works with other smartcards and middlewares. Also, with this combination I have problem with another websites...So, I'm pretty sure it's something with SmartCard/ActivClient/Firefox combination. Another weird thing is that my SmartCard work with Firefox and CoolKey library...Strange.....I have made another test with Alladin SmartCard eToken and SafeNet Auth Client Middleware...Everything works perfectly in Firefox...
I will try with another SmartCard (another manafacturer) that holds same certificates like my currently smartcard (same issuer)...
Anyway...I'm running out of ideas....
Modified by fredast
I tried all the above options, but still i'm not able to see any popup or option to select client certificate.
1. "Ask me every time" is selected. 2."Security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref" is set to true. 3. "security.ssl.renego_unrestricted_hosts" added my website address to this. 4. Imported client certificate to "Your Certificates" tab.
Please let me know, if i have done something wrong with settings.
Are you using the same combination SmartCard/ActivClient/Firefox ? Does that combination use OCSP or CCRL? IF so it looks like both need to be OSCP aware, the is enabled by defualt but to check if Firefox is OSCP you can go to Options> Advanced> Tools and click on Validation.
A trick you can use to troubleshoot where any validation or blockage is using wireshark or backtrack with Firefox. My favorite tool though is Live HTTP Headers https://addons.mozilla.org/en-US/fire.../live-http-headers/ I hope this helps in the right direction. If you are seeing Firefox is blocking please do let us know and we can open a bug :-)
Modified by guigs
Thanks for your reply.
Good thing is I am able get the certificate popup, but still with some issue. My client certificate has 3 level hierarchy.
1. Parent Root Certificate(Self Signed Certificate) 2. Child Parent Root Certificate(Issued by Parent Root Certificate) 3. Client Certificate (Issued by Child Parent Root)
In "Your Certificates" tab, I have imported my Client Certificate, Child Parent Root and Parent Root, but when I try to access the website, the certificate popup shows only Parent Root certificate, it does not show up the remain two certificates.
If I select Parent Root certificate, I'm able to access the website but not able to select the required client certificate.
Also I tried to import the Root certificates to Authorities tab, but some how they are not getting imported, no error message is displayed, it simply doesn't import anything.
I'm using Firefox 26.0 (No SmartCard or ActiveClient) with OCSP selected.
Please let me know your views on this.
Thanks & Regards, Mohan G
Hi on second thought I followed up with the #security channel on this and found that automatically accepting certificates can be bad. And if If the security.ssl.allow_unrestricted_renego_yeverywhere__temporarily_available_pref has an effect then that means that the website is not working properly.