Closed
Bug 1065628
Opened 10 years ago
Closed 8 years ago
New smartcard results in many sites throwing 403.7 error with Firefox
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: h0wdyd3wdy, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 Steps to reproduce: Whether or not I use CoolKey in Linux or ActivClient in windows, since getting a new CAC/smartcard, I cannot use various DoD and gov sites with Firefox in Linux or Windows. For instance, I cannot access https://www.bol.navy.mil or https://mypay.dfas.mil/mypay.aspx (click on smartcard login). Although both sites prompt for my CAC pin, they do not allow me to choose a certificate, despite that setting being pressed, and just fail with such errors as: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied. or Error Code: 403 Forbidden. The page requires a client certificate as part of the authentication process. If you are using a smart card, you will need to insert your smart card to select an appropriate certificate. Otherwise, contact your server administrator. (12213) --- AKO/Army Knowledge Online/NKO work fine, prompting for my CAC pin, and then prompting for which cert I want to use. This has all started since I got a new CAC card last week. When I use IE in Windows, all of the sites work fine. However, that's obviously not a solution, as I don't want to have to use vbox every time I want to access one of these sites. The issue is in both win and Linux Firefox. I even tried Firefox on an Ubuntu live cd, and the same problem occurred, so it's not a cached cookie/cert issue either. Actual results: Did not prompt for which certificate, but throws 403/403.7. Expected results: Prompt for certificate.
Could you test with a clean profile, please. https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles If that doesn't change anything, do you know if it works by using an old version of Firefox like FF30 or older?
Flags: needinfo?(h0wdyd3wdy)
Reporter | ||
Comment 2•10 years ago
|
||
Hi, I did test with a clean profile. I also tried booting off an Ubuntu DVD, installing coolkey into memory, and doing it that way. Same problem. I had the same experience with FF 64bit(nightly) in windows 8.1. Same issue occurs in Chrome, FWIW. I just installed 30 from here: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/30.0/linux-x86_64/en-US/ And tried a new profile, but same problem:( Just tried it with mypay myPay SmartCard error: 403.7 The page requires a client certificate The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server will recognize. The client certificate is used for identifying you as a valid user of the resource.
Flags: needinfo?(h0wdyd3wdy)
Did you contact the support of SmartCard? Maybe it's an issue with their new product.
Reporter | ||
Comment 4•10 years ago
|
||
It's issued by the U.S. government. It works fine with IE in every one of these cases. They only support IE.
Updated•10 years ago
|
OS: Linux → All
I have the same issue following a new smart card. Furthermore, firefox crashes when I try to log into the smart card using the security devices tab.
Did it use to work with a previous version of Firefox, like Firefox 30 or older?
Component: Untriaged → Security
Product: Firefox → Core
The last time it worked properly was 2 months ago. I don't know what version of Firefox I was using at the time.
I also experienced this issue. I can log into some DoD sites, but not others. Exact same error. I'll have to wait until I get home to check my versions, but it is the standard package for Ubuntu (14.04, I think).
I'm having the same problem. It all started when I installed the latest version of Firefox. Which was a few days ago.
Comment 10•9 years ago
|
||
This drove me crazy for several months once it quit working on firefox. I could not get either the coolkey or cackey module to load in firefox without crashing firefox. I finally stumbled on a solution in one of the archlinux forums. I uninstall Coolkey and Cackey. I then installed opensc-pkcs11.so. Once that was installed I manually added all the DOD certificates. I think downloaded them from the disa site. Bottom line use the opensc-pkcs11.so driver and install all the DOD certifiactes that you might need.
Comment 11•9 years ago
|
||
So, should I remove ActivClient from Firefox? Where do I download opensc-pkcs11.so from? So, now you can access ALL cac-enabled sites? Can you provide a link for downloading the certificates from the disa site. Also, I thought the DOD configuration 1.3.7 add-on took care of the certificates so you didn't have to download them individually. Even though Firefox still works with some cac-enabled sites with that add-on disabled. Sorry about all the questions.
Flags: needinfo?(carl.trask)
Comment 12•9 years ago
|
||
I downloaded opensc but I could not find that file, so I uninstalled it. Is this solution as simple as downloading and installing activclient and then loading the module in Firefox?
Comment 13•9 years ago
|
||
It has been a while. I think I used apt to install the opensc package (I migt have installed it from source). The file needed for firefox for me is located at /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so. As far as the certificates, I downloaded the certificates from http://militarycac.com/files/maccerts/AllCerts.zip. I don't think that was very secure, but it was really the only place I could find them. Sorry for wandering...I followed the instructions on https://militarycac.com/linux.htm for the most part except I used opensc instead of CoolKey or CACkey. To do the opensc files use this site https://www.opensc-project.org/opensc/wiki/CompilingInstalling. Install the certificates downloaded in the AllCerts.zip file above into firefox.
Flags: needinfo?(carl.trask)
Comment 14•9 years ago
|
||
I fixed it. I have AVAST Premier so I turned off all active protection for 10 minutes and was able to get to the sites. Now I just need to figure out how to configure it so I can access those sites with protection on. Any advice would be appreciated.
Comment 15•9 years ago
|
||
I think I figured it out. I just added the urls from mypay and OWA to the exclusions list on Avast's web shield. Now I have active protection and access to all the cac-enabled websites i've tried.
Comment 16•9 years ago
|
||
Yup, its fixed.
Comment 17•9 years ago
|
||
(In reply to Ddgg from comment #8) > I also experienced this issue. I can log into some DoD sites, but not > others. Exact same error. I'll have to wait until I get home to check my > versions, but it is the standard package for Ubuntu (14.04, I think). Did you ever get it to work?
Flags: needinfo?(dan.gebhardt)
Comment 18•9 years ago
|
||
(In reply to Carl from comment #5) > I have the same issue following a new smart card. Furthermore, firefox > crashes when I try to log into the smart card using the security devices tab. (In reply to Carl from comment #10) > This drove me crazy for several months once it quit working on firefox. I > could not get either the coolkey or cackey module to load in firefox without > crashing firefox. ¡Hola Carl! Could you please share the crash IDs as detailed at https://support.mozilla.org/en-US/kb/firefox-crashes-troubleshoot-prevent-and-get-help#w_get-help-fixing-this-crash ? ¡Gracias!
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•