[Muscle] certificate error using DoD CAC with Firefox or Thunderbird

Kevin Reinholz kreinholz at gmail.com
Sun Nov 25 09:50:58 PST 2007 

Thank you for your reply!

I discovered that Firefox failed to import 4 of the certificates 
contained within those 3 certificate chains at 
http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with 
access to a Windows box import the certificate chains and send me those 
4 missing certificates, but still no luck in either Firefox or Thunderbird.

I'm going to give Seamonkey a try and see if that helps.

I originally compiled Coolkey but for some reason libcoolkey.so wouldn't 
link against libpcsclite, and either Firefox or Thunderbird would 
segfault upon trying to add libcoolkey.so as a security device.

My other computer is a Mac, so there is some attraction to supporting my 
CAC via the same framework (and same CACPlugin) on both systems.

I'm going to keep working on it and see if I can resolve this SSL error. . .

David Mueller wrote:
> I usually recommend the Coolkey PKCS#11 module to access a CAC.  I haven't heard of anyone trying to use it with FreeBSD, but as it works with Linux, Windows, and Mac OS X, I imagine it would probably work with FreeBSD as well.  It isn't that hard to compile.  But if your home-brewed bundle works for SSLv3/TLSv1 servers then that should be fine as well.
>
> http://directory.fedoraproject.org/wiki/CoolKey
>
> I haven't had problems with trying to sign/encrypt email with Thunderbird, but I have also had problems trying to access SSLv2 sites with Firefox 2.  I've also tried going into about:config and enabling everything as you outlined and that hasn't worked either.  SeaMonkey worked but I can't recall if it still does with current versions; usually the few times I've had to access an SSLv2 site I've used Safari.
>
> - David
>
> ----- Original Message -----
> From: "Kevin Reinholz" 
> To: muscle at lists.musclecard.com
> Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird
> Date: Fri, 23 Nov 2007 20:38:38 -0600
>
>   Ladies and Gentlemen,
>
> I noticed some posts regarding this problem in the mailing listarchives from January 2007 and athttp://forums.mozillazine.org/viewtopic.php?t=487555. However, I didnot see a solution (other than downgrading to firefox-1.5).
>
> I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC issupported via an SCM SCR 331 smart card reader, pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a home-brewedcommonAccessCard.bundle created using Apple's CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5).
>
> I registered my CAC using bundleTool and loaded libmusclepkcs11.so.0 asa security module in Firefox and Thunderbird. Assuming I insert my CAC beforelaunching Firefox or Thunderbird, going to View Certificates prompts mefor my PIN, after which my personal certificates display.
>
> I added the 3 certificate chains athttp://dodpki.c3pki.chamb.disa.mil/rootca.html, plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good measure whenthe latter wasn't enough. I checked the boxes to accept thecertificates for all 3 possible purposes.
>
> Going to a CAC site (such as AF Portal and choosing CAC Login), I amprompted for my PIN and to choose a certificate. I've tried both mye-mail and my non-e-mail certificate, and either way receive thefollowing error message:
>
> Error establishing an encrypted connection to www.my.af.mil. ErrorCode: -12222.
>
> I did a little research and this is apparently an SSL error that means"Unableto digitally sign data required to verify your certificate." (Accordingto http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)
>
> When attempting to digitally sign an e-mail using one of thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I receivean error about my certificate. (Just a verbose version of Firefox'scryptic error code -12222 message).
>
> I noticed that Firefox uses SSL v3, and I read elsewhere in thesemailing list archives that DoD sites still use SSL v2. I enabled SSL v2(disabled by default) in Firefox by going to about:config in theaddress bar, typing ssl2 as a filter, and changing all of the values reSSL v2 from "false" to "true." Still no luck logging onto AF Portal orOWA.
>
> Has anyone had this same problem, and does anyone know of a workaround(short of downgrading to firefox-1.5 or installing an older version ofmozilla as a secondary browser)?
>
> Thank you for your help!
>
> V/r,
> Kevin Reinholz
>
>
>

More information about the Muscle mailing list