[Muscle] certificate error using DoD CAC with Firefox or Thunderbird

David Mueller dsm42 at iname.com
Sun Nov 25 10:50:48 PST 2007 

Do you import all three sets of certs from the DISA rootca site?  I usually get some errors with the first one as well, but not with the second two.  I haven't looked closely to compare but I haven't run into any problems with missing certs.

- David

----- Original Message -----
From: "Kevin Reinholz" 
To: MUSCLE 
Subject: Re: [Muscle] certificate error using DoD CAC with Firefox	or	Thunderbird
Date: Sun, 25 Nov 2007 11:50:58 -0600


Thank you for your reply!

I discovered that Firefox failed to import 4 of the certificates 
contained within those 3 certificate chains at 
http://dodpki.c3pki.chamb.disa.mil/rootca.html. I had a friend with 
access to a Windows box import the certificate chains and send me 
those 4 missing certificates, but still no luck in either Firefox 
or Thunderbird.

I'm going to give Seamonkey a try and see if that helps.

I originally compiled Coolkey but for some reason libcoolkey.so 
wouldn't link against libpcsclite, and either Firefox or 
Thunderbird would segfault upon trying to add libcoolkey.so as a 
security device.

My other computer is a Mac, so there is some attraction to 
supporting my CAC via the same framework (and same CACPlugin) on 
both systems.

I'm going to keep working on it and see if I can resolve this SSL error. . .

David Mueller wrote:
> I usually recommend the Coolkey PKCS#11 module to access a CAC.  
> I haven't heard of anyone trying to use it with FreeBSD, but as 
> it works with Linux, Windows, and Mac OS X, I imagine it would 
> probably work with FreeBSD as well.  It isn't that hard to 
> compile.  But if your home-brewed bundle works for SSLv3/TLSv1 
> servers then that should be fine as well.
>
> http://directory.fedoraproject.org/wiki/CoolKey
>
> I haven't had problems with trying to sign/encrypt email with 
> Thunderbird, but I have also had problems trying to access SSLv2 
> sites with Firefox 2.  I've also tried going into about:config 
> and enabling everything as you outlined and that hasn't worked 
> either.  SeaMonkey worked but I can't recall if it still does 
> with current versions; usually the few times I've had to access 
> an SSLv2 site I've used Safari.
>
> - David
>
> ----- Original Message -----
> From: "Kevin Reinholz" To: muscle at lists.musclecard.com
> Subject: [Muscle] certificate error using DoD CAC with Firefox or Thunderbird
> Date: Fri, 23 Nov 2007 20:38:38 -0600
>
>   Ladies and Gentlemen,
>
> I noticed some posts regarding this problem in the mailing 
> listarchives from January 2007 and 
> athttp://forums.mozillazine.org/viewtopic.php?t=487555. However, 
> I didnot see a solution (other than downgrading to firefox-1.5).
>
> I am running firefox-2.0.0.9 on FreeBSD 7.0-beta2 (i386). My CAC 
> issupported via an SCM SCR 331 smart card reader, 
> pcsc-lite-1.4.4,libmusclecard-1.3.3, muscleframework-1.1.6, and a 
> home-brewedcommonAccessCard.bundle created using Apple's 
> CACPlugin fromSmartCardServices-32672 (from Mac OS X 10.5).
>
> I registered my CAC using bundleTool and loaded 
> libmusclepkcs11.so.0 asa security module in Firefox and 
> Thunderbird. Assuming I insert my CAC beforelaunching Firefox or 
> Thunderbird, going to View Certificates prompts mefor my PIN, 
> after which my personal certificates display.
>
> I added the 3 certificate chains 
> athttp://dodpki.c3pki.chamb.disa.mil/rootca.html, 
> plushttp://dodpki.c3pki.chamb.disa.mil/dodroot.cac for good 
> measure whenthe latter wasn't enough. I checked the boxes to 
> accept thecertificates for all 3 possible purposes.
>
> Going to a CAC site (such as AF Portal and choosing CAC Login), I 
> amprompted for my PIN and to choose a certificate. I've tried 
> both mye-mail and my non-e-mail certificate, and either way 
> receive thefollowing error message:
>
> Error establishing an encrypted connection to www.my.af.mil. 
> ErrorCode: -12222.
>
> I did a little research and this is apparently an SSL error that 
> means"Unableto digitally sign data required to verify your 
> certificate." (Accordingto 
> http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html)
>
> When attempting to digitally sign an e-mail using one of 
> thecertificates on my CAC in Thunderbird (thunderbird-2.0.0.4), I 
> receivean error about my certificate. (Just a verbose version of 
> Firefox'scryptic error code -12222 message).
>
> I noticed that Firefox uses SSL v3, and I read elsewhere in 
> thesemailing list archives that DoD sites still use SSL v2. I 
> enabled SSL v2(disabled by default) in Firefox by going to 
> about:config in theaddress bar, typing ssl2 as a filter, and 
> changing all of the values reSSL v2 from "false" to "true." Still 
> no luck logging onto AF Portal orOWA.
>
> Has anyone had this same problem, and does anyone know of a 
> workaround(short of downgrading to firefox-1.5 or installing an 
> older version ofmozilla as a secondary browser)?
>
> Thank you for your help!
>
> V/r,
> Kevin Reinholz
>
>
>


-- 
Over 2 Million Holiday Gift Ideas - Take a Look!
mail.com shopping at  http://mail.shopping.com/?linkin_id=8033174

More information about the Muscle mailing list