Do you import all three sets of certs from the DISA rootca site? I usually get some errors with the first one as well, but not with the second two. I haven't looked closely to compare but I haven't run into any problems with missing certs.
- David ----- Original Message ----- From: "Kevin Reinholz" To: MUSCLE Subject: Re: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird Date: Sun, 25 Nov 2007 11:50:58 -0600 Thank you for your reply! I discovered that Firefox failed to import 4 of the certificates contained within those 3 certificate chains at http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with access to a Windows box import the certificate chains and send me those 4 missing certificates, but still no luck in either Firefox or Thunderbird. I'm going to give Seamonkey a try and see if that helps. I originally compiled Coolkey but for some reason libcoolkey.so wouldn't link against libpcsclite, and either Firefox or Thunderbird would segfault upon trying to add libcoolkey.so as a security device. My other computer is a Mac, so there is some attraction to supporting my CAC via the same framework (and same CACPlugin) on both systems. I'm going to keep working on it and see if I can resolve this SSL error. . . David Mueller wrote: > I usually recommend the Coolkey PKCS#11 module to access a CAC. > I haven't heard of anyone trying to use it with FreeBSD, but as > it works with Linux, Windows, and Mac OS X, I imagine it would > probably work with FreeBSD as well. It isn't that hard to > compile. But if your home-brewed bundle works for SSLv3/TLSv1 > servers then that should be fine as well. > > http://directory.fedoraproject.org/wiki/CoolKey > > I haven't had problems with trying to sign/encrypt email with > Thunderbird, but I have also had problems trying to access SSLv2 > sites with Firefox 2. I've also tried going into about:config > and enabling everything as you outlined and that hasn't worked > either. SeaMonkey worked but I can't recall if it still does > with current versions; usually the few times I've had to access > an SSLv2 site I've used Safari. > > - David > > ----- Original Message ----- > From: "Kevin Reinholz" To: [email protected] > Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird > Date: Fri, 23 Nov 2007 20:38:38 -0600 > > Ladies and Gentlemen, > > I noticed some posts regarding this problem in the mailing > listarchives from January 2007 and > athttp://forums.mozillazine.org/viewtopic.php?t=487555. However, > I didnot see a solution (other than downgrading to firefox-1.5). > > I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC > issupported via an SCM SCR 331 smart card reader, > pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a > home-brewedcommonAccessCard.bundle created using Apple's > CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5). > > I registered my CAC using bundleTool and loaded > libmusclepkcs11.so.0 asa security module in Firefox and > Thunderbird. Assuming I insert my CAC beforelaunching Firefox or > Thunderbird, going to View Certificates prompts mefor my PIN, > after which my personal certificates display. > > I added the 3 certificate chains > athttp://dodpki.c3pki.chamb.disa.mil/rootca.html, > plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good > measure whenthe latter wasn't enough. I checked the boxes to > accept thecertificates for all 3 possible purposes. > > Going to a CAC site (such as AF Portal and choosing CAC Login), I > amprompted for my PIN and to choose a certificate. I've tried > both mye-mail and my non-e-mail certificate, and either way > receive thefollowing error message: > > Error establishing an encrypted connection to www.my.af.mil. > ErrorCode: -12222. > > I did a little research and this is apparently an SSL error that > means"Unableto digitally sign data required to verify your > certificate." (Accordingto > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html) > > When attempting to digitally sign an e-mail using one of > thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I > receivean error about my certificate. (Just a verbose version of > Firefox'scryptic error code -12222 message). > > I noticed that Firefox uses SSL v3, and I read elsewhere in > thesemailing list archives that DoD sites still use SSL v2. I > enabled SSL v2(disabled by default) in Firefox by going to > about:config in theaddress bar, typing ssl2 as a filter, and > changing all of the values reSSL v2 from "false" to "true." Still > no luck logging onto AF Portal orOWA. > > Has anyone had this same problem, and does anyone know of a > workaround(short of downgrading to firefox-1.5 or installing an > older version ofmozilla as a secondary browser)? > > Thank you for your help! > > V/r, > Kevin Reinholz > > > -- Over 2 Million Holiday Gift Ideas - Take a Look! mail.com shopping at http://mail.shopping.com/?linkin_id=8033174 _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
