Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

pkcs11 certificate only accessible when open certmanager

  • 2 trả lời
  • 2 gặp vấn đề này
  • 13 lượt xem
  • Trả lời mới nhất được viết bởi tbaehler

more options

I've added a pkcs11 library. And try to access a https site with client authentication.

If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails.

If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

I've added a pkcs11 library. And try to access a https site with client authentication. If I open firefox and directly open the https site I have to enter the pin for my smartcard. But I cannot choose a certificate and the authentication fails. If I open firefox and first go to "view certificates" in the settings section. I can see my personal certificate after entering the pin for my smartcard. If I then open the https site I can choose my certificate and the authentication works.

Tất cả các câu trả lời (2)

more options

HI tbaehler, I am not sure if you are affected by this but there is an update to SHA-1 type of certificates in the recent update to 32.0.3 https://blog.mozilla.org/security/

However in regards to the smard card when you enter your pin and not being able to select a certificate I would recommend checking out https://developer.mozilla.org/en-US/d.../Module_Installation

Do you have the certificate in the Devices section of the cert manager?

more options

Thanks for your answer.

I don't think it is a configuration problem.

Again if i click on view certificates I see my certificate and can do a two way ssl authentication as desired. so everythink works.

But if i don't click on view certificate on firefox startup I am not able to select my certificyate. firefox just ask for the pin and then fails with (Error code: ssl_error_handshake_failure_alert) It's as if firefox does not update its internal certificate store. (or it just updates it when clicking on view certificate).


There is another bug too, but I was able to solve that. There is a problem in the nss library when trying to authenticate with tls1.2. with tls 1.2 firefox tells me that the key is invalid. by analysing that problem I found out, that nss sets keytype to nullkey. so I corrected that by just modifying lib/ssl3con.c (nss)

if (isTLS12) {
   //rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
   rv = ssl3_TLSSignatureAlgorithmForKeyType(rsaKey,
                          &sigAndHash.sigAlg);

so I set the type to rsaKey directy. With that change I can authenticat and everything works. exept that I have to click on view certificate after firefox starts up. Maybe there is another but in nss somewhere.