[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC
Jason Pyeron
jpyeron at pdinc.us
Wed Dec 3 23:20:34 UTC 2014
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Cal Webster
> Sent: Wednesday, December 03, 2014 17:35
> To: CentOS List
> Subject: [CentOS] Firefox fails to authenticate .mil sites
> with New DoD CAC
>
> Can anyone help with getting the new DoD CACs (Smart Card) to work in
> CentOS 6.6? I don't use it for console logins, only for email and .mil
> web sites.
>
> I recently had to get a new DoD CAC (Smart Card) when one of the
> buildings I work in upgraded their security system. My old CAC was
> working fine prior to this for signing and encrypting email and for
> authenticating to various DoD (.mil) sites from the Internet using the
> coolkey libraries.
>
> After getting my new CAC I am no longer able to authenticate
> to any DoD
> sites. I can still sign and encrypt email in Thunderbird via
> the coolkey
> libraries but .mil sites either simply display blank pages or raise
> various errors in firefox. I am prompted for my PIN, which is
> successfully accepted but I'm not even prompted for which cert to use,
> like I used to be.
Does your system trust CA32?
I see
Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32
Validity
Not Before: Nov 24 00:00:00 2014 GMT
Not After : Jan 30 23:59:59 2015 GMT
Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383
>
> I've tried installing and loading the latest "cackey" libraries (see
> below) but when I insert my CAC and attempt to login to the module in
> the Mozilla device manager it completely freezes firefox. Recovery
> requires killing firefox. If I remove the latest and install the next
> previous cackey library it works the same as coolkey -
> doesn't freeze up
> firefox but never connects to .mil sites.
>
> I tried building the cackey RPMs from the source RPMs too but
> the result
> is the same.
>
> Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
> Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
>
> I'm pretty sure it has something to do with the newer PIV CAC internal
> layout. I went through a similar transition when the GEMAL 144 cards
> came out but the cackey libraries did at least work and coolkey
> eventually caught up.
>
> One thing is for sure... the cackey RPM from forge.mil is not
> a drop-in
> replacement for coolkey. The cackey RPM only installs the libraries
> themselves, nothing else. It doesn't even register them in
> the nss db I
> had to do that manually with modutil. I must be missing something...
>
> Without direct access to forge.mil it's difficult to troubleshoot
> cackey. For some silly reason they still require CAC authentication to
> get the CAC software and drivers and access the forums, etc.
Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support <dgisa.tinker.ops.list.pkesupport at mail.mil>
>
> More relevant information below...
>
> I'd be grateful for any ideas or advice on this. I desperately need to
> retrieve vulnerability reports, patches, and other DoD resources.
> Thanks!
>
> Cal Webster
>
I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.
>
>
>
> Smart Card Reader:
> SCM Microsystems Inc. SCR3310 USB Smart Card Reader
> (21120628202509) 00
> 00-0
>
> Old CAC: GEMAL TO TOPDL GX4 144
> New CAC: G&D FIPS 201 SCE 3.2
>
>
> [root at inet3 ~]# cat /etc/redhat-release
> CentOS release 6.6 (Final)
> [root at inet3 ~]# uname -a
> Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
> 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at inet3 ~]#
>
> Installed Packages
>
> coolkey.i686 1.1.0-32.el6 @base
> coolkey.x86_64 1.1.0-32.el6 @base
> firefox.i686 31.2.0-3.el6.centos
> @updates
> firefox.x86_64 31.2.0-3.el6.centos
> @updates
> thunderbird.x86_64 31.2.0-3.el6.centos
> @updates
> pcsc-lite.x86_64 1.5.2-14.el6
> @base
> pcsc-lite-devel.x86_64 1.5.2-14.el6
> @base
> pcsc-lite-libs.x86_64 1.5.2-14.el6
> @base
> nss.i686 3.16.1-14.el6
> @base
> nss.x86_64 3.16.1-14.el6
> @base
> nss-devel.x86_64 3.16.1-14.el6
> @base
> nss-softokn.i686 3.14.3-18.el6_6
> @updates
> nss-softokn.x86_64 3.14.3-18.el6_6
> @updates
> nss-softokn-devel.x86_64 3.14.3-18.el6_6
> @updates
> nss-softokn-freebl.i686 3.14.3-18.el6_6
> @updates
> nss-softokn-freebl.x86_64 3.14.3-18.el6_6
> @updates
> nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6
> @updates
> nss-sysinit.x86_64 3.16.1-14.el6
> @base
> nss-tools.x86_64 3.16.1-14.el6
> @base
> nss-util.i686 3.16.1-3.el6
> @base
> nss-util.x86_64 3.16.1-3.el6
> @base
> nss-util-devel.x86_64 3.16.1-3.el6
> @base
>
>
> [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
> 2. CoolKey PKCS #11 Module
> library name: libcoolkeypk11.so
> slots: 1 slot attached
> status: loaded
>
> slot: SCM Microsystems Inc. SCR3310 USB Smart Card
> Reader (21120628202
> token: WEBSTER.CALVIN.DALE.9427154028
>
> 3. cackey
> library name: libcackey.so
> slots: 2 slots attached
> status: loaded
>
> slot: CACKey Slot
> token: WEBSTER.CALVIN.DALE.9427154028
>
> slot: CACKey Slot
> token: DoD Certificates
> -----------------------------------------------------------
> [root at inet3 ~]#
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
More information about the CentOS
mailing list