I usually recommend the Coolkey PKCS#11 module to access a CAC. I haven't heard of anyone trying to use it with FreeBSD, but as it works with Linux, Windows, and Mac OS X, I imagine it would probably work with FreeBSD as well. It isn't that hard to compile. But if your home-brewed bundle works for SSLv3/TLSv1 servers then that should be fine as well.
http://directory.fedoraproject.org/wiki/CoolKey I haven't had problems with trying to sign/encrypt email with Thunderbird, but I have also had problems trying to access SSLv2 sites with Firefox 2. I've also tried going into about:config and enabling everything as you outlined and that hasn't worked either. SeaMonkey worked but I can't recall if it still does with current versions; usually the few times I've had to access an SSLv2 site I've used Safari. - David ----- Original Message ----- From: "Kevin Reinholz" To: [email protected] Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird Date: Fri, 23 Nov 2007 20:38:38 -0600 Ladies and Gentlemen, I noticed some posts regarding this problem in the mailing listarchives from January 2007 and athttp://forums.mozillazine.org/viewtopic.php?t=487555. However, I didnot see a solution (other than downgrading to firefox-1.5). I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC issupported via an SCM SCR 331 smart card reader, pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a home-brewedcommonAccessCard.bundle created using Apple's CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5). I registered my CAC using bundleTool and loaded libmusclepkcs11.so.0 asa security module in Firefox and Thunderbird. Assuming I insert my CAC beforelaunching Firefox or Thunderbird, going to View Certificates prompts mefor my PIN, after which my personal certificates display. I added the 3 certificate chains athttp://dodpki.c3pki.chamb.disa.mil/rootca.html, plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good measure whenthe latter wasn't enough. I checked the boxes to accept thecertificates for all 3 possible purposes. Going to a CAC site (such as AF Portal and choosing CAC Login), I amprompted for my PIN and to choose a certificate. I've tried both mye-mail and my non-e-mail certificate, and either way receive thefollowing error message: Error establishing an encrypted connection to www.my.af.mil. ErrorCode: -12222. I did a little research and this is apparently an SSL error that means"Unableto digitally sign data required to verify your certificate." (Accordingto http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html) When attempting to digitally sign an e-mail using one of thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I receivean error about my certificate. (Just a verbose version of Firefox'scryptic error code -12222 message). I noticed that Firefox uses SSL v3, and I read elsewhere in thesemailing list archives that DoD sites still use SSL v2. I enabled SSL v2(disabled by default) in Firefox by going to about:config in theaddress bar, typing ssl2 as a filter, and changing all of the values reSSL v2 from "false" to "true." Still no luck logging onto AF Portal orOWA. Has anyone had this same problem, and does anyone know of a workaround(short of downgrading to firefox-1.5 or installing an older version ofmozilla as a secondary browser)? Thank you for your help! V/r, Kevin Reinholz -- Over 2 Million Holiday Gift Ideas - Take a Look! mail.com shopping at http://mail.shopping.com/?linkin_id=8033174 _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
