Seamonkey was a no-go. I received that same Error code -12222 with NSS
indicating a problem digitally signing data required to verify my
certificate. That was with seamonkey-1.1.6. I may try an older version
just to see if that makes a difference.
I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in
other words Mozilla's NSS, or if the problem is related to
libmusclepkcs11 and/or commonAccessCard.bundle. That said, I'm pretty
sure the following terminal readout indicated the successful registry
of my CAC:
fongsaiyuk# bundleTool
Select the appropriate token driver:
------------------------------------
1. commonAccessCard.bundle
2. mscMuscleCard.bundle
3. slbCryptoflex.bundle
------------------------------------
Enter the number: 1
Insert your token in: SCM SCR 331 (21120727G00110) 00 00
Token support updated successfully !
Then too, I would imagine that if there were a problem with
libmusclecard, libmusclepkcs11, or commonAccessCard.bundle, my CAC
would not be recognized when inserted, Firefox would segfault when
trying to load libmusclepkcs11.so.0 as a security module, and/or
Firefox/Thunderbird wouldn't recognize my certificates on my CAC under
"personal certificates" when I launch Firefox/Thunderbird with my card
inserted and enter my PIN when prompted.
Clearly my CAC is being read, the muscle framework recognizes when I
enter my PIN correctly, and I can display the certificates loaded on my
CAC. That would seem to imply that the problem lies elsewhere.
I go to AF Portal or AFMC webmail, I'm prompted for a certificate and I
can choose between my e-mail and non-e-mail certificate, I'm prompted
for my PIN which I enter correctly, and then I receive that cryptic
Error code -12222 pertaining to NSS. Very frustrating to be so close
yet not quite there.
There is also the option of going back and trying to get libcoolkey to
link against libpcsclite, then seeing if I have better luck using
libcoolkey.so as a security module. However, it seems to me that
libmusclepkcs11 is working fine, and the problem lies with Mozilla's
NSS or Firefox's handling of certificates.
Either route is an adventure. . .
Kevin Reinholz wrote:
I think there were 28 certs imported from those 3 chains in Firefox,
versus 32 in Internet Explorer.
Seamonkey is still compiling. I see that it's based on Mozilla? The SSL
error when trying to connect to a CAC-logon site or send a digitally
signed e-mail is pretty baffling. If I don't get to the bottom of this
before the end of this TDY I'll be very curious to see if I have the
same problem with Firefox on OS X. At least Safari is an option on Mac.
David Mueller wrote:
Do you import all three sets of certs from the DISA rootca site? I usually get some errors with the first one as well, but not with the second two. I haven't looked closely to compare but I haven't run into any problems with missing certs.
- David
----- Original Message -----
From: "Kevin Reinholz"
To: MUSCLE
Subject: Re: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird
Date: Sun, 25 Nov 2007 11:50:58 -0600
Thank you for your reply!
I discovered that Firefox failed to import 4 of the certificates
contained within those 3 certificate chains at
http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with
access to a Windows box import the certificate chains and send me
those 4 missing certificates, but still no luck in either Firefox
or Thunderbird.
I'm going to give Seamonkey a try and see if that helps.
I originally compiled Coolkey but for some reason libcoolkey.so
wouldn't link against libpcsclite, and either Firefox or
Thunderbird would segfault upon trying to add libcoolkey.so as a
security device.
My other computer is a Mac, so there is some attraction to
supporting my CAC via the same framework (and same CACPlugin) on
both systems.
I'm going to keep working on it and see if I can resolve this SSL error. . .
David Mueller wrote:
I usually recommend the Coolkey PKCS#11 module to access a CAC.
I haven't heard of anyone trying to use it with FreeBSD, but as
it works with Linux, Windows, and Mac OS X, I imagine it would
probably work with FreeBSD as well. It isn't that hard to
compile. But if your home-brewed bundle works for SSLv3/TLSv1
servers then that should be fine as well.
http://directory.fedoraproject.org/wiki/CoolKey
I haven't had problems with trying to sign/encrypt email with
Thunderbird, but I have also had problems trying to access SSLv2
sites with Firefox 2. I've also tried going into about:config
and enabling everything as you outlined and that hasn't worked
either. SeaMonkey worked but I can't recall if it still does
with current versions; usually the few times I've had to access
an SSLv2 site I've used Safari.
- David
----- Original Message -----
From: "Kevin Reinholz" To: [email protected]
Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird
Date: Fri, 23 Nov 2007 20:38:38 -0600
Ladies and Gentlemen,
I noticed some posts regarding this problem in the mailing
listarchives from January 2007 and
athttp://forums.mozillazine.org/viewtopic.php?t=487555. However,
I didnot see a solution (other than downgrading to firefox-1.5).
I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC
issupported via an SCM SCR 331 smart card reader,
pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a
home-brewedcommonAccessCard.bundle created using Apple's
CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5).
I registered my CAC using bundleTool and loaded
libmusclepkcs11.so.0 asa security module in Firefox and
Thunderbird. Assuming I insert my CAC beforelaunching Firefox or
Thunderbird, going to View Certificates prompts mefor my PIN,
after which my personal certificates display.
I added the 3 certificate chains
athttp://dodpki.c3pki.chamb.disa.mil/rootca.html,
plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good
measure whenthe latter wasn't enough. I checked the boxes to
accept thecertificates for all 3 possible purposes.
Going to a CAC site (such as AF Portal and choosing CAC Login), I
amprompted for my PIN and to choose a certificate. I've tried
both mye-mail and my non-e-mail certificate, and either way
receive thefollowing error message:
Error establishing an encrypted connection to www.my.af.mil.
ErrorCode: -12222.
I did a little research and this is apparently an SSL error that
means"Unableto digitally sign data required to verify your
certificate." (Accordingto
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)
When attempting to digitally sign an e-mail using one of
thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I
receivean error about my certificate. (Just a verbose version of
Firefox'scryptic error code -12222 message).
I noticed that Firefox uses SSL v3, and I read elsewhere in
thesemailing list archives that DoD sites still use SSL v2. I
enabled SSL v2(disabled by default) in Firefox by going to
about:config in theaddress bar, typing ssl2 as a filter, and
changing all of the values reSSL v2 from "false" to "true." Still
no luck logging onto AF Portal orOWA.
Has anyone had this same problem, and does anyone know of a
workaround(short of downgrading to firefox-1.5 or installing an
older version ofmozilla as a secondary browser)?
Thank you for your help!
V/r,
Kevin Reinholz
|
