Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Authentucated smartcard user session is terminated immediatedly when card is removed, regardless of httpd SSLSessionCacheTimeout (default 300) setting. Why?

  • 8 svar
  • 1 har dette problemet
  • 145 views
  • Siste svar av cor-el

more options

I have installed security device in FF option/advanced tab. Then using smart card to log into my server. The smartcard user is authenticated and secure connection is going smoothly. When the card is removed from the card reader, the connection is immediately terminated, regardless of SSLSessionCacheTimeout settings. Mine is set to 300.

I did same thing with IE, it keeps the connection until the SSLSessionCacheTimeout expires.

It is FF-specific-designed feature? Or I need to do sth specific to FF browser to keep my secure connection based on SSLSessionCacheTimeout setting?

Thanks

Valgt løsning

Hey SecureDevPaty,

I am wondering if you have installed a cert in the clientside or server side.

I am not an expert in this, but these are the references I found. I *think* after reading about this aal session http://stackoverflow.com/questions/12.../session-disconnect-the-client-after-smart-card-is-removed there is a ssl feature in the about:config page. If you search for ssl, look at the negotiation features. which after rereading the thread we have already done.

I started to read more up on the ssl rules

and some rfcs. My question is, the rule for timeout, is this set on the server? with a specific rule in the cert? If this is a cert basis, I would ask stackoverflow.com

Les dette svaret i sammenhengen 👍 1

All Replies (8)

more options

Do you know if it is a prefetch smartcard? http://kb.mozillazine.org/Browser.ssl_override_behavior

more options

Thanks for providing the answer.

I checked my FF. The preference browser.xul.error_pages.enabled is set to true, and browser.ssl_override_behavior is set to 2 as default.

I set browser.ssl_override_behavior to 0 and1 to test my smartcard authentication. I got the same result. Whenever remove the card from reader, the SSL connection is terminated.

There might be other settings for changing this behavior. Please help.

Thanks

more options

Hi SecureDevPaty, If I may ask, what kind of smartcard are you using?

more options

Hi, Guigs2, very appreciate your response, Thank you.

Basically I am using USB plug-in smartcard reader with the card storing private/public key to access my Apache server through browser. The smart card driver I installed to FF security device is read like the followings.

Description: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 Manufacturer: SCM Microsystems Inc., T-Systems International GmbH HW Version: 2.4

Hope these info helps.

Thanks.

more options

Valgt løsning

Hey SecureDevPaty,

I am wondering if you have installed a cert in the clientside or server side.

I am not an expert in this, but these are the references I found. I *think* after reading about this aal session http://stackoverflow.com/questions/12.../session-disconnect-the-client-after-smart-card-is-removed there is a ssl feature in the about:config page. If you search for ssl, look at the negotiation features. which after rereading the thread we have already done.

I started to read more up on the ssl rules

and some rfcs. My question is, the rule for timeout, is this set on the server? with a specific rule in the cert? If this is a cert basis, I would ask stackoverflow.com

more options

Hi guigs2

Really appreciate your replies that contains plenty of info. Will go through them :-)

Yes, I installed security device (smart card module) to firefox, and made cert authentication working with my app server.

The SSLSessionCacheTimeout setting is just for server side httpd config, which suppose to keep SSL session without asking browser (smartcard) private/public keys for period of time. IE's behavior is to keep the SSL session within the timeout. FF just terminates SSL session immediately when card is plugged out of card-reader.

It seems FF terminates SSL session whenever it gets smartcard-remove event. Is there any way to bypass FF event handler?

more options

Hey,

To answer your question: https://developer.mozilla.org/en-US/d.../JavaScript_crypto this link includes how a developer can control the event handlers upon a smartcard removal. These will only work in FIrefox and may be changed in the furture, this only worked in Firefox 21, so this may not be ideal for you.

Web sites can make themselves more SmartCard friendly by listening for SmartCard insertion and removal events. To enable your document to receive these events, you must first tell the crypto system you are interested by setting window.crypto.enableSmartCardEvents to true. You can then register event handlers for these events with the document.addEventListener() method.

Old threads to where this code lives : http://forums.mozillazine.org/viewtopic.php?f=42&t=2708147 I could not find any recent implementations though, it looks like this event is something that happens only serverside?

more options

Endret av cor-el