Closed Bug 1065628 Opened 10 years ago Closed 8 years ago

New smartcard results in many sites throwing 403.7 error with Firefox

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
31 Branch
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: h0wdyd3wdy, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36

Steps to reproduce:

Whether or not I use CoolKey in Linux or ActivClient in windows, since getting a new CAC/smartcard, I cannot use various DoD and gov sites with Firefox in Linux or Windows.

For instance, I cannot access https://www.bol.navy.mil or https://mypay.dfas.mil/mypay.aspx (click on smartcard login).  Although both sites prompt for my CAC pin, they do not allow me to choose a certificate, despite that setting being pressed, and just fail with such errors as:

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

or

Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213)

---

AKO/Army Knowledge Online/NKO work fine, prompting for my CAC pin, and then prompting for which cert I want to use.

This has all started since I got a new CAC card last week.

When I use IE in Windows, all of the sites work fine. However, that's obviously not a solution, as I don't want to have to use vbox every time I want to access one of these sites.

The issue is in both win and Linux Firefox.  I even tried Firefox on an Ubuntu live cd, and the same problem occurred, so it's not a cached cookie/cert issue either.


Actual results:

Did not prompt for which certificate, but throws 403/403.7.


Expected results:

Prompt for certificate.
Could you test with a clean profile, please.
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles

If that doesn't change anything, do you know if it works by using an old version of Firefox like FF30 or older?
Flags: needinfo?(h0wdyd3wdy)
Hi,

I did test with a clean profile.  I also tried booting off an Ubuntu DVD, installing coolkey into memory, and doing it that way.  Same problem.

I had the same experience with FF 64bit(nightly) in windows 8.1.

Same issue occurs in Chrome, FWIW.

I just installed 30 from here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/30.0/linux-x86_64/en-US/

And tried a new profile, but same problem:(  Just tried it with mypay

 myPay SmartCard error: 403.7
The page requires a client certificate
The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server will recognize. The client certificate is used for identifying you as a valid user of the resource.
Flags: needinfo?(h0wdyd3wdy)
Did you contact the support of SmartCard? Maybe it's an issue with their new product.
It's issued by the U.S. government.  It works fine with IE in every one of these cases.  They only support IE.
OS: Linux → All
I have the same issue following a new smart card.  Furthermore, firefox crashes when I try to log into the smart card using the security devices tab.
Did it use to work with a previous version of Firefox, like Firefox 30 or older?
Component: Untriaged → Security
Product: Firefox → Core
Flags: needinfo?(h0wdyd3wdy)
The last time it worked properly was 2 months ago.  I don't know what version of Firefox I was using at the time.
I also experienced this issue. I can log into some DoD sites, but not others. Exact same error. I'll have to wait until I get home to check my versions, but it is the standard package for Ubuntu (14.04, I think).
I'm having the same problem.  It all started when I installed the latest version of Firefox.  Which was a few days ago.
This drove me crazy for several months once it quit working on firefox.  I could not get either the coolkey or cackey module to load in firefox without crashing firefox.  I finally stumbled on a solution in one of the archlinux forums.  I uninstall Coolkey and Cackey.  I then installed opensc-pkcs11.so.  Once that was installed I manually added all the DOD certificates.  I think downloaded them from the disa site.  Bottom line use the opensc-pkcs11.so driver and install all the DOD certifiactes that you might need.
So, should I remove ActivClient from Firefox?  Where do I download opensc-pkcs11.so from?  So, now you can access ALL cac-enabled sites?  Can you provide a link for downloading the certificates from the disa site.  Also, I thought the DOD configuration 1.3.7 add-on took care of the certificates so you didn't have to download them individually.  Even though Firefox still works with some cac-enabled sites with that add-on disabled.  Sorry about all the questions.
Flags: needinfo?(carl.trask)
I downloaded opensc but I could not find that file, so I uninstalled it.  Is this solution as simple as downloading and installing activclient and then loading the module in Firefox?
It has been a while.  I think I used apt to install the opensc package (I migt have installed it from source).  The file needed for firefox for me is located at /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so.  As far as the certificates, I downloaded the certificates from http://militarycac.com/files/maccerts/AllCerts.zip.  I don't think that was very secure, but it was really the only place I could find them.  

Sorry for wandering...I followed the instructions on https://militarycac.com/linux.htm for the most part except I used opensc instead of CoolKey or CACkey.  To do the opensc files use this site https://www.opensc-project.org/opensc/wiki/CompilingInstalling.  Install the certificates downloaded in the AllCerts.zip file above into firefox.
Flags: needinfo?(carl.trask)
I fixed it.  I have AVAST Premier so I turned off all active protection for 10 minutes and was able to get to the sites.  Now I just need to figure out how to configure it so I can access those sites with protection on.  Any advice would be appreciated.
I think I figured it out.  I just added the urls from mypay and OWA to the exclusions list on Avast's web shield.  Now I have active protection and access to all the cac-enabled websites i've tried.
Yup, its fixed.
(In reply to Ddgg from comment #8)
> I also experienced this issue. I can log into some DoD sites, but not
> others. Exact same error. I'll have to wait until I get home to check my
> versions, but it is the standard package for Ubuntu (14.04, I think).

Did you ever get it to work?
Flags: needinfo?(dan.gebhardt)
(In reply to Carl from comment #5)
> I have the same issue following a new smart card.  Furthermore, firefox
> crashes when I try to log into the smart card using the security devices tab.

(In reply to Carl from comment #10)
> This drove me crazy for several months once it quit working on firefox.  I
> could not get either the coolkey or cackey module to load in firefox without
> crashing firefox.

¡Hola Carl!

Could you please share the crash IDs as detailed at https://support.mozilla.org/en-US/kb/firefox-crashes-troubleshoot-prevent-and-get-help#w_get-help-fixing-this-crash ?

¡Gracias!
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.