unable to use my CIE electronic identity card,latest vers 1.4.3.12, with firefox 146.0.1
Categories
(Core :: Security: PSM, defect, P2)
Tracking
()
People
(Reporter: p060477, Unassigned)
Details
(Whiteboard: [psm-smartcard])
Attachments
(1 file)
|
4.28 KB,
image/jpeg
|
Details |
ciepki.dll loaded in certificates
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Steps to reproduce:
tried to identify me here:
https://sportello.harnekinfo.it/Login.aspx?A=SA
with my CIE,electronic identity card
and its badge
the program is CIE Middleware 1.4.3.12 and put
CIEPKI.dll in windows\system32
Actual results:
when the certificate appears i click on ok but the page remains in loop and then i got "time expired"
Expected results:
i should have been able to log in as i easly do using edge or chrome
|
||
Comment 1•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 month ago
|
||
If you remove CIEPKI.dll from the device manager in Firefox, does it work?
Hi Dana, first let me thxs you for yr kind attention ,
also if i remove the CIEPKI.dll from the device manager
it doesn't work
i first tried without upload it,the ciepki.dll, in the device manager cause i know that from mozilla vers 90
it wasn't needed cause as i've understood from that vers.90 , and i have the latest 146.0.1,
the behaviour of firefox should be exactly the same as chrome or edge
but in my case did not work
so i tried to upload the module ,with CIEPKI.dll,in the device manager
but still doesn't work.
again thxs you so much for yr attention and yr helping for me is very very important.
cheers
|
|
||
Comment 4•1 month ago
|
||
Without CIEPKI.dll, if you look at your certificates in Firefox (about:preferences -> Privacy & Security -> View Certificates -> Your Certificates), do you see your certificate?
Did earlier versions of Firefox work?
Hi Dana thxs so much again
yes i see the certificate
here it is:
https://i.postimg.cc/fbmrz8gc/Immagine.jpg
is the one under "Ministero dell'Interno"
infact when i try to log in for example at this site:
https://sportello.harnekinfo.it/Login.aspx?A=SA
the certificate with all my correct datas as name surname fiscal code and expiry date
appears at my window's desktop but when i click to send it
the webpage remains in charges for lot of time then i got time out...
this is the first time i use my CIE, in the past i used the CNS which is another system identification with another badge
and another dll, this: stPKCS11.dll but in the recents firefox versions i do not need to upload the relative module in device manager
as i did before ff vers 90, when i enter a site with that kind of authentication,the CNS card, i simply see its certificate
which is the one under "Infocert Spa" of my above picture
i click to send it , then it appears the pop up window to insert its Pin, i did and all is ok
but for the site i've linked above:
https://sportello.harnekinfo.it/Login.aspx?A=SA
the CNS is not suitable and i have to use the CIE card with its badge
if i do this with chrome or edge its behaviour is the same as i described for the CNS in firefox
but if i try to log in with CIE+ Firefox i got the bug showed.
hope this helps you
apologize for my few skills
thxs so much again for yr attn
yr helping for me is fundamental
thxs from the deep of my heart
cheers
i uploaded the right image of my certificates:
https://i.postimg.cc/fbmrz8gc/Immagine.jpg
I downloaded a portable version and, without adding anything, I first checked the certificates and security devices for any potential conflicts.
And in the profile folder, the pkcs11 file was set correctly:
`library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:D:\DESKTOP\BROWSERS\FIREFOX\FirefoxPortable_new\Data\profile' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
library=C:\Windows\System32\CIEPKI.dll
name=Middleware CIE`
While the Firefox profile, which is installed on the PC and not portable,
on which I loaded the CNS health card has the corresponding pkcs.11 file correctly set as follows:
`library=
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:C:\Users\xxxx\AppData\Roaming\Mozilla\Firefox\Profiles\bg3tc61f.Primo' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
library=C:\Windows\System32\stPKCS11.dll
name=Carta Sanitaria`
Then I loaded the CIE module ciepki.dll and it picked it up, and I connected with the last four digits of the PIN.
Everything seemed fine...but...just looking at the certificates, I found not one, but two new ones:
https://i.postimg.cc/fbmrz8gc/Immagine.jpg
One is from Infocert, expires in 2027, and concerns my CNS (National Health Insurance Card).
The other is from the Ministry of the Interior and concerns my CIE (Electrical Inspection Certificate).
When I tried to log in to:
https://sportello.harnekinfo.it/Login.aspx?A=SA
I encountered the usual long page reload and a final timeout.
|
|
||
Comment 9•1 month ago
|
||
Based on this (your certificates are listed as being on the "OS Client Cert Token"), you don't need to load CIEPKI.dll (and probably not stPKCS11.dll either), so I would remove those, just to make sure they're not interfering. If Firefox still times out, try taking a profile with https://profiler.firefox.com. You'll need to edit the settings and change the list under Add custom threads by name: to GeckoMain,socket,ssl,osclientcerts.
Also, do you have a number of certificates in your Windows certificate manager named "DO_NOT_TRUST_FiddlerRoot..."? If so, I would remove the ones you don't use - having many copies of that certificate can slow things down.
|
Reporter | |
Comment 10•1 month ago
|
||
hi Dana
first lots of thxs again for yr kind attention and useful helping
i pray you to explain better,cause i'm really not very skilled at all,
when you write:
"try taking a profile with https://profiler.firefox.com. You'll need to edit the settings and change the list under Add custom threads by name: to GeckoMain,socket,ssl,osclientcerts."
pls i pray you to explain it as you were talking to a little child, givin every steps in details
cause i repeat i'm not so skilled at all...
i beg your pardon
pls apologize me
thxs for yr comprehension
i thank you from the very deep of my heart
cheers
|
|
||
Comment 11•1 month ago
|
||
I would actually start with my second suggestion.
To open the Windows certificate manager, search for "certificates" in the Windows toolbar. It should show something called "Manage user certificates" (I don't know what the Italian localization will be, unfortunately).
If you click that, it should open a program you can use to look at what certificates Windows knows about. You should be able to look in various categories such as "Trusted Root Certification Authorities" for various certificates. What you're looking for is anything called "DO_NOT_TRUST_FiddlerRoot". If you have more than one, I would delete the oldest ones by right-clicking on each one and selecting "Delete" in the menu that pops up.
|
|
Reporter | |
Comment 12•1 month ago
|
||
hi Dana, first let me thank you again for yr very kind attention and useful helping:
i followo yr suggestion and i'm able to arrive here:
https://i.postimg.cc/LXF7Hnc1/Immagine.jpg
now what should have i to do?
apologize for my very few skills
thanks a lot for yr kind and great patience
pls i pray you to do not leave me now,
i think we are near the solution
yr helping for me is essential
cheers
|
|
Reporter | |
Comment 13•1 month ago
|
||
expanding the voices/folders on the left i see that some have a ""DO_NOT_TRUST_FiddlerRoot"."
but is the same only one** "DO_NOT_TRUST_FiddlerRoot". that expires on 12.12.2024**
and is a server authentication **Created by http://www.fiddler2.com **
this is the only one DO_NOT_TRUST_FiddlerRoot i hav e and is present in some of the voices/folder on the left of my image
to be precise is present in only 3 voices/folder:
starting from the top and expanding the voices is present in the
1st:
"personale-certificati"
2nd:
"autoritĂ di certificazione radice attendibili-certificati"
4th:
"autoritĂ di certificazione intermedie-certificati"
and in my firefox 146.0.1 settings -privacy -show certificates is present one time ,i think is the same, here:
https://i.postimg.cc/9ff8CsFb/Immagine2.jpg
what you suggest to do to me?
i re-thank you for yr precious helping and great patience
apologize me for my very poor skiils
|
|
Reporter | |
Comment 14•1 month ago
|
||
the strange thin is that,googling, i see that certificate shouls have been created by a program:fiddler
but i really did not downloaded ever such this program/tool
and making a deep search on my pc and in the programs i've still installed i really do not find -fiddler-
this is a very great mistery for me,
what is yr opinion?
thxs so much again
cheers
|
|
Reporter | |
Comment 15•1 month ago
|
||
sorry dana i made a little mistake:
i wrote:
"is the same only one** "DO_NOT_TRUST_FiddlerRoot". that expires on 12.12.2024** for the 2nd and 4th voices/folder" of my image
https://i.postimg.cc/LXF7Hnc1/Immagine.jpg
BUT in the first voice:
"personale-certificati" it is really not the only one..i find others...
see:
https://i.postimg.cc/05F21qZ2/Immagine3.jpg
so to sum up what you suggest to me?
apologize me for all the precious time i take from you
thxs so much indeed for yr very kind patience
cheers
|
|
Reporter | |
Comment 16•1 month ago
|
||
(In reply to Gio from comment #15)
sorry dana i made a little mistake:
i wrote:
"is the same only one** "DO_NOT_TRUST_FiddlerRoot". that expires on 12.12.2024** for the 2nd and 4th voices/folder" of my image
https://i.postimg.cc/LXF7Hnc1/Immagine.jpg
BUT in the first voice:
"personale-certificati" it is really not the only one..i find others...
see:
https://i.postimg.cc/yNs0hRSQ/Immagine3.jpgso to sum up what you suggest to me?
apologize me for all the precious time i take from you
thxs so much indeed for yr very kind patience
cheers
|
|
Reporter | |
Comment 17•1 month ago
|
||
hi Dana, this is my update:
i have deleted all the "DO_NOT_TRUST_FiddlerRoot" that were in Windows certificate manager - "Manage user certificates"
these are all my firefox certificates if i click in privacy -show certificates, are only 3 :
https://i.postimg.cc/hPmNjRDB/Immagine5.jpg
but still got the time out on the web page:
https://sportello.harnekinfo.it/Login.aspx?A=SA
......if i wait for minutes then clicking on the "expired time page" i got this:
https://i.postimg.cc/J75kWGXS/Immagine4.jpg
the pop up ask me to choose a smart card....but every option i choose re-put me in the infinitive loading page
and at the end i got time out...and so on and on....
but if i use edge,or chrome portable, or duckduckgo portable i always get the right authentication:
i mean that at my screen appears this:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
i put in the 4 digits Pin of the card and easly enter the site above mentioned
what you think?
thxs so much from the deep of my heart
and apologize for all the time stolen by me to you
cheers
|
|
||
Comment 18•1 month ago
|
||
When you visit https://sportello.harnekinfo.it/Login.aspx?A=SA and Firefox hangs, is the prompt shown in https://i.postimg.cc/J75kWGXS/Immagine4.jpg appearing behind Firefox somehow? (as in, maybe Firefox is waiting for you to interact with that prompt, but you can't see it because it appeared behind Firefox?)
|
|
Reporter | |
Comment 19•1 month ago
|
||
hi Dana , yes behind,
also if i esc the ff hanged page and i se my desktop i see that prompt.....anyway the right prompt should be:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
|
|
Reporter | |
Comment 20•1 month ago
|
||
hi Dana maybe this info should be able to help you:
i downloaded waterfox, which is based on firefox i think
and now trying to finally enter the site i got:
"An error occurred while connecting to mtls.idserver.servizicie.interno.gov.it. A PKCS #11 module returned the value CKR_GENERAL_ERROR, meaning a fatal error occurred.
Error code: SEC_ERROR_PKCS11_GENERAL_ERROR
The page you are trying to view cannot be displayed because the authenticity of the data received cannot be verified."
but as i repeat the certificate is valid cause with edge or chrome portable or duckduckgo portable i always get:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
i put in the 4 digits Pin of the card and easly enter the site above mentioned:
https://sportello.harnekinfo.it/Login.aspx?A=SA
i want to give you also much more details:
this is the certificate,i only omit for privacy my name surname and a part of my fiscal code :
BRNxxx/946209043578
serial number
IDCIT-CA03402OJ
and this is the rest of the certificate:
https://i.postimg.cc/rFBC9gd5/Immagine7.jpg
and
https://i.postimg.cc/HL2wdg6z/Immagine8.jpg
what you think?
pls do not leave me now....i'm totally in yr helping hands
i really thank you from the very deep of my heart
for yr kindness and patience
thxs a lot
and apologize all the precious time i've stolen to you
cheers
|
|
Reporter | |
Comment 21•1 month ago
|
||
with Light 49rc portable mozilla fork of 2016
and with a portable Firefox vers 89 i have no problems
i only have to load the CIEPKI.dll module
so this is a real BUG of Firefox 146.0.1
hope someone fix it
thanks for yr cooperation
cheers
|
|
Reporter | |
Comment 22•1 month ago
|
||
But is there a possibility to fix this frustrating bug?
thanks for yr kind cooperation
cheers
|
|
||
Comment 23•1 month ago
|
||
(In reply to Dana Keeler (she/her) [:keeler] from comment #18)
When you visit https://sportello.harnekinfo.it/Login.aspx?A=SA and Firefox hangs, is the prompt shown in https://i.postimg.cc/J75kWGXS/Immagine4.jpg appearing behind Firefox somehow? (as in, maybe Firefox is waiting for you to interact with that prompt, but you can't see it because it appeared behind Firefox?)
(In reply to Gio from comment #19)
hi Dana , yes behind,
also if i esc the ff hanged page and i se my desktop i see that prompt.....anyway the right prompt should be:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
I'm a little confused. When Firefox hangs, you're saying the prompt shown in https://i.postimg.cc/J75kWGXS/Immagine4.jpg does appear behind Firefox? What happens if you click "OK" without hitting escape in Firefox?
|
|
Reporter | |
Comment 24•1 month ago
|
||
nothing...and to be precise i do not escape firefox...
cause if i escape it also the prompt obviously disappear..
i put the open firefox as icon in the taskbar but firefox is obviously still alive i do not escape
then i click on OK and then i got the time out page....
i repeat i never reach the right prompt:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
i repeat that with Light 49rc portable, is a old mozilla fork of 2016,
and with a portable Firefox vers 89 i have no problems
i only have to load the CIEPKI.dll module
and then i get the right prompt:
https://i.postimg.cc/V6BBT41V/Immagine6.jpg
so this is a real BUG of Firefox 146.0.1
hope someone fix it
|
|
||
Comment 25•1 month ago
|
||
Well, one thing you could try is setting security.osclientcerts.autoload to false in about:config and loading CIEPKI.dll.
|
|
Reporter | |
Comment 26•1 month ago
|
||
hi Dana, first thxs so much for yr kind attention and efforts
already tried the about:config trick
in my case nothing unfurtunately changes
i really hope that mozilla devs will fix it hopefully in the very next versions/updates
now we are at the newest vers 147 and the bug is still there
thxs so much
cheers
|
|
||
Comment 27•1 month ago
|
||
If you would be willing to try out this development build, it might address the issue: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/H3imfZUGS_-yAuhnrvWKQA/runs/0/artifacts/public/build/setup.exe
|
|
Reporter | |
Comment 28•1 month ago
|
||
Hi Dana and thxs so much again for yr attn and patience
i will happly do if there is a -portable- version of what you suggest me to try:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/H3imfZUGS_-yAuhnrvWKQA/runs/0/artifacts/public/build/setup.exe
thxs again
cheers
|
|
||
Comment 29•1 month ago
|
||
I'm not sure how to make a portable version, but perhaps this will work? https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/H3imfZUGS_-yAuhnrvWKQA/runs/0/artifacts/public/build/target.zip
|
|
Reporter | |
Comment 30•1 month ago
|
||
hi Dana
first let me thxs you again for yr helping and attention
the one you suggest is not real portable cause it creates a profile folder in c\user\appliationdata\roaming etcc...etcc....
i do not want the profile in my disc c
the real portable version put it in a subfolder /data/profile
i need a portable such that cause i'm able to manage easly the profile and not to have it in my disc c
thxs again
cheers!
|
|
||
Comment 31•1 month ago
|
||
I don't know how to do that. The intention is not for you to use this build long-term - I just want to see if it works for you at all. Is that okay?
|
|
Reporter | |
Comment 32•1 month ago
|
||
Hi Dana and thxs again for yr attention
but i repeat i should like to do every tries but with a portable vers that has its profile in the subfolder data
and the .exe in in the subfolder App
thxs so much indeed for yr kind helping and patience
i hope future firefox stable vers will fix this bug.
cheers!
|
|
||
Comment 33•1 month ago
|
||
Firefox isn't going to magically get fixed unless we can validate the changes we make. Can you help me understand why you can't temporarily run the test build I linked to in comment 29?)
|
|
Reporter | |
Comment 34•1 month ago
|
||
hi Dana
firsts thxs again for yr kind attention
because i really do not want anything about firefox or other browsers in my disc c
the all browser i'm using are all portable , they have their on folder in which there is a subfolder generally -App- with the .exe file
and another called -data- with their own profile in
i repeat it is my personal choice
i think this bug 2008572 is readed about not only me but many other people who have the same problem with their
CIE electronic identity card and firefox
i hope that someone more brave then me should want to try the firefox dev.vers. (comment 29) you gentily ask to try
and should be able to give the answers you require
in the meantime i really want to re-thank you so much
for yr kind helping
and patience too
cheers
|
|
Reporter | |
Comment 35•1 month ago
|
||
may be this info could help you:
my CNS - identity sanitary card
with the module stPKCS11.dll
has no issue
and its about:config is
security.osclientcerts.autoload TRUE
if i try the trick you suggest for the CIE to set it on FALSE
i get the same issue/bug of the CIE: continue reloading page until time out
re-thxs again for yr kind attention
cheers
|
|
Reporter | |
Comment 36•1 month ago
|
||
but , i'm just thinking , perhaps if i try for the CNS to set about:config to false then i've to re-load the module:
stPKCS11.dll
anyway to sum up
CIE bugged with about:config set to true and to false
CNS works if set to true , bugged as cie if set to false
cheers
|
|
Reporter | |
Comment 37•1 month ago
|
||
(In reply to Dana Keeler (she/her) [:keeler] from comment #25)
Well, one thing you could try is setting
security.osclientcerts.autoloadtofalseinabout:configand loading CIEPKI.dll.
hi Dana i try noiw with latest 147.0.1 and doing:
"security.osclientcerts.autoload to false in about:config and loading CIEPKI.dll."
now the CIE works
the strange things is that with this configuration and loading the stPKCS11.dll
my sanitary identity card CNS does not work
to sum up:
to work with my CIE i've to set to false and load the CIEPKI.dll
to work with my CNS i've to set it to -true- and not load the stPKCS11.dll
what you think?
hope it helps devs to finally fix the bug
cheers!
|
|
||
Comment 38•26 days ago
|
||
The severity field is not set for this bug.
:keeler, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Comment 39•26 days ago
|
||
The severity field is not set for this bug.
:keeler, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Updated•21 days ago
|
|
|
Reporter | |
Comment 40•21 days ago
|
||
hi Dana
first thxs again
you set P2:
"Fix in the next release cycle or the following"...:
pls i pray you to write here when fixed
thxs again
cheers
Description
•