Thank you for your reply!
I discovered that Firefox failed to import 4 of the certificates
contained within those 3 certificate chains at
http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with
access to a Windows box import the certificate chains and send me those
4 missing certificates, but still no luck in either Firefox or Thunderbird.
I'm going to give Seamonkey a try and see if that helps.
I originally compiled Coolkey but for some reason libcoolkey.so wouldn't
link against libpcsclite, and either Firefox or Thunderbird would
segfault upon trying to add libcoolkey.so as a security device.
My other computer is a Mac, so there is some attraction to supporting my
CAC via the same framework (and same CACPlugin) on both systems.
I'm going to keep working on it and see if I can resolve this SSL error. . .
David Mueller wrote:
I usually recommend the Coolkey PKCS#11 module to access a CAC. I haven't
heard of anyone trying to use it with FreeBSD, but as it works with Linux,
Windows, and Mac OS X, I imagine it would probably work with FreeBSD as well.
It isn't that hard to compile. But if your home-brewed bundle works for
SSLv3/TLSv1 servers then that should be fine as well.
http://directory.fedoraproject.org/wiki/CoolKey
I haven't had problems with trying to sign/encrypt email with Thunderbird, but
I have also had problems trying to access SSLv2 sites with Firefox 2. I've
also tried going into about:config and enabling everything as you outlined and
that hasn't worked either. SeaMonkey worked but I can't recall if it still
does with current versions; usually the few times I've had to access an SSLv2
site I've used Safari.
- David
----- Original Message -----
From: "Kevin Reinholz"
To: [email protected]
Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird
Date: Fri, 23 Nov 2007 20:38:38 -0600
Ladies and Gentlemen,
I noticed some posts regarding this problem in the mailing listarchives from
January 2007 and athttp://forums.mozillazine.org/viewtopic.php?t=487555.
However, I didnot see a solution (other than downgrading to firefox-1.5).
I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC issupported
via an SCM SCR 331 smart card reader, pcsc-lite-1.4.4,libmusclecard-1.3.3,
muscleframework-1.1.6, and a home-brewedcommonAccessCard.bundle created using
Apple's CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5).
I registered my CAC using bundleTool and loaded libmusclepkcs11.so.0 asa
security module in Firefox and Thunderbird. Assuming I insert my CAC
beforelaunching Firefox or Thunderbird, going to View Certificates prompts
mefor my PIN, after which my personal certificates display.
I added the 3 certificate chains
athttp://dodpki.c3pki.chamb.disa.mil/rootca.html,
plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good measure whenthe
latter wasn't enough. I checked the boxes to accept thecertificates for all 3
possible purposes.
Going to a CAC site (such as AF Portal and choosing CAC Login), I amprompted
for my PIN and to choose a certificate. I've tried both mye-mail and my
non-e-mail certificate, and either way receive thefollowing error message:
Error establishing an encrypted connection to www.my.af.mil. ErrorCode: -12222.
I did a little research and this is apparently an SSL error that means"Unableto
digitally sign data required to verify your certificate." (Accordingto
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)
When attempting to digitally sign an e-mail using one of thecertificates on my
CAC in Thunderbird (thunderbird-2.0.0.4), I receivean error about my
certificate. (Just a verbose version of Firefox'scryptic error code -12222
message).
I noticed that Firefox uses SSL v3, and I read elsewhere in thesemailing list archives that DoD
sites still use SSL v2. I enabled SSL v2(disabled by default) in Firefox by going to about:config
in theaddress bar, typing ssl2 as a filter, and changing all of the values reSSL v2 from
"false" to "true." Still no luck logging onto AF Portal orOWA.
Has anyone had this same problem, and does anyone know of a workaround(short of
downgrading to firefox-1.5 or installing an older version ofmozilla as a
secondary browser)?
Thank you for your help!
V/r,
Kevin Reinholz
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
