|
Ladies and Gentlemen, I noticed some posts regarding this problem in the mailing list archives from January 2007 and at http://forums.mozillazine.org/viewtopic.php?t=487555. However, I did not see a solution (other than downgrading to firefox-1.5). I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC is supported via an SCM SCR 331 smart card reader, pcsc-lite-1.4.4, libmusclecard-1.3.3, muscleframework-1.1.6, and a home-brewed commonAccessCard.bundle created using Apple's CACPlugin from SmartCardServices-32672 (from Mac OS X 10.5). I registered my CAC using bundleTool and loaded libmusclepkcs11.so.0 as a security module in Firefox and Thunderbird. Assuming I insert my CAC before launching Firefox or Thunderbird, going to View Certificates prompts me for my PIN, after which my personal certificates display. I added the 3 certificate chains at http://dodpki.c3pki.chamb.disa.mil/rootca.html, plus http://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good measure when the latter wasn't enough. I checked the boxes to accept the certificates for all 3 possible purposes. Going to a CAC site (such as AF Portal and choosing CAC Login), I am prompted for my PIN and to choose a certificate. I've tried both my e-mail and my non-e-mail certificate, and either way receive the following error message: Error establishing an encrypted connection to www.my.af.mil. Error Code: -12222. I did a little research and this is apparently an SSL error that means "Unable to digitally sign data required to verify your certificate." (According to http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html) When attempting to digitally sign an e-mail using one of the certificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I receive an error about my certificate. (Just a verbose version of Firefox's cryptic error code -12222 message). I noticed that Firefox uses SSL v3, and I read elsewhere in these mailing list archives that DoD sites still use SSL v2. I enabled SSL v2 (disabled by default) in Firefox by going to about:config in the address bar, typing ssl2 as a filter, and changing all of the values re SSL v2 from "false" to "true." Still no luck logging onto AF Portal or OWA. Has anyone had this same problem, and does anyone know of a workaround (short of downgrading to firefox-1.5 or installing an older version of mozilla as a secondary browser)? Thank you for your help! V/r, Kevin Reinholz |
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
