|
I think there were 28 certs imported from those 3 chains in Firefox,
versus 32 in Internet Explorer. Seamonkey is still compiling. I see that it's based on Mozilla? The SSL error when trying to connect to a CAC-logon site or send a digitally signed e-mail is pretty baffling. If I don't get to the bottom of this before the end of this TDY I'll be very curious to see if I have the same problem with Firefox on OS X. At least Safari is an option on Mac. David Mueller wrote: Do you import all three sets of certs from the DISA rootca site? I usually get some errors with the first one as well, but not with the second two. I haven't looked closely to compare but I haven't run into any problems with missing certs.- David ----- Original Message ----- From: "Kevin Reinholz" To: MUSCLE Subject: Re: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird Date: Sun, 25 Nov 2007 11:50:58 -0600 Thank you for your reply! I discovered that Firefox failed to import 4 of the certificates contained within those 3 certificate chains at http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with access to a Windows box import the certificate chains and send me those 4 missing certificates, but still no luck in either Firefox or Thunderbird. I'm going to give Seamonkey a try and see if that helps. I originally compiled Coolkey but for some reason libcoolkey.so wouldn't link against libpcsclite, and either Firefox or Thunderbird would segfault upon trying to add libcoolkey.so as a security device. My other computer is a Mac, so there is some attraction to supporting my CAC via the same framework (and same CACPlugin) on both systems. I'm going to keep working on it and see if I can resolve this SSL error. . . David Mueller wrote:I usually recommend the Coolkey PKCS#11 module to access a CAC. I haven't heard of anyone trying to use it with FreeBSD, but as it works with Linux, Windows, and Mac OS X, I imagine it would probably work with FreeBSD as well. It isn't that hard to compile. But if your home-brewed bundle works for SSLv3/TLSv1 servers then that should be fine as well. http://directory.fedoraproject.org/wiki/CoolKey I haven't had problems with trying to sign/encrypt email with Thunderbird, but I have also had problems trying to access SSLv2 sites with Firefox 2. I've also tried going into about:config and enabling everything as you outlined and that hasn't worked either. SeaMonkey worked but I can't recall if it still does with current versions; usually the few times I've had to access an SSLv2 site I've used Safari. - David ----- Original Message ----- From: "Kevin Reinholz" To: [email protected] Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird Date: Fri, 23 Nov 2007 20:38:38 -0600 Ladies and Gentlemen, I noticed some posts regarding this problem in the mailing listarchives from January 2007 and athttp://forums.mozillazine.org/viewtopic.php?t=487555. However, I didnot see a solution (other than downgrading to firefox-1.5). I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC issupported via an SCM SCR 331 smart card reader, pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a home-brewedcommonAccessCard.bundle created using Apple's CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5). I registered my CAC using bundleTool and loaded libmusclepkcs11.so.0 asa security module in Firefox and Thunderbird. Assuming I insert my CAC beforelaunching Firefox or Thunderbird, going to View Certificates prompts mefor my PIN, after which my personal certificates display. I added the 3 certificate chains athttp://dodpki.c3pki.chamb.disa.mil/rootca.html, plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good measure whenthe latter wasn't enough. I checked the boxes to accept thecertificates for all 3 possible purposes. Going to a CAC site (such as AF Portal and choosing CAC Login), I amprompted for my PIN and to choose a certificate. I've tried both mye-mail and my non-e-mail certificate, and either way receive thefollowing error message: Error establishing an encrypted connection to www.my.af.mil. ErrorCode: -12222. I did a little research and this is apparently an SSL error that means"Unableto digitally sign data required to verify your certificate." (Accordingto http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html) When attempting to digitally sign an e-mail using one of thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I receivean error about my certificate. (Just a verbose version of Firefox'scryptic error code -12222 message). I noticed that Firefox uses SSL v3, and I read elsewhere in thesemailing list archives that DoD sites still use SSL v2. I enabled SSL v2(disabled by default) in Firefox by going to about:config in theaddress bar, typing ssl2 as a filter, and changing all of the values reSSL v2 from "false" to "true." Still no luck logging onto AF Portal orOWA. Has anyone had this same problem, and does anyone know of a workaround(short of downgrading to firefox-1.5 or installing an older version ofmozilla as a secondary browser)? Thank you for your help! V/r, Kevin Reinholz |
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
