[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC

Cal Webster cwebster at ec.rr.com
Thu Dec 4 16:46:04 UTC 2014


On Wed, 2014-12-03 at 18:20 -0500, Jason Pyeron wrote:
> > -----Original Message-----
> > From: centos-bounces at centos.org 
> > [mailto:centos-bounces at centos.org] On Behalf Of Cal Webster
> > Sent: Wednesday, December 03, 2014 17:35
> > To: CentOS List
> > Subject: [CentOS] Firefox fails to authenticate .mil sites 
> > with New DoD CAC
> > 
> > Can anyone help with getting the new DoD CACs (Smart Card) to work in
> > CentOS 6.6? I don't use it for console logins, only for email and .mil
> > web sites.
> > 
> > I recently had to get a new DoD CAC (Smart Card) when one of the
> > buildings I work in upgraded their security system. My old CAC was
> > working fine prior to this for signing and encrypting email and for
> > authenticating to various DoD (.mil) sites from the Internet using the
> > coolkey libraries. 
> > 
> > After getting my new CAC I am no longer able to authenticate 
> > to any DoD
> > sites. I can still sign and encrypt email in Thunderbird via 
> > the coolkey
> > libraries but .mil sites either simply display blank pages or raise
> > various errors in firefox. I am prompted for my PIN, which is
> > successfully accepted but I'm not even prompted for which cert to use,
> > like I used to be.
> 
> Does your system trust CA32?
> 
> I see 
> 
> Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32
> Validity
>     Not Before: Nov 24 00:00:00 2014 GMT
>     Not After : Jan 30 23:59:59 2015 GMT
> Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383

That's a very good point, Jason. I could not locate that CA in the certs
being stored for Firefox. It is, however, listed in the CA store in
Thunderbird, which I've had no trouble using with coolkey libs. The
trust settings there are all un-checked, though.

I had also installed the latest dod_configuration-1.3.7.xpi extension
which automatically downloads the latest DoD certs on installation. I
assumed it was a complete set. After reading your message I went ahead
and clicked the [Update DoD Certs...] button in the add-on preferences
too - Still not listed. Apparently this cert is missed during this
process. 

I went ahead and exported the cert from Thunderbird, then imported it
into firefox. Now I'm up and running again.

It's often the simple things we overlook, which is why it's nice to have
a community to bounce things off of. 

Thanks for the help Jason.

> > 
> > I've tried installing and loading the latest "cackey" libraries (see
> > below) but when I insert my CAC and attempt to login to the module in
> > the Mozilla device manager it completely freezes firefox. Recovery
> > requires killing firefox. If I remove the latest and install the next
> > previous cackey library it works the same as coolkey - 
> > doesn't freeze up
> > firefox but never connects to .mil sites.
> > 
> > I tried building the cackey RPMs from the source RPMs too but 
> > the result
> > is the same.
> > 
> > Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
> > Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
> > 
> > I'm pretty sure it has something to do with the newer PIV CAC internal
> > layout. I went through a similar transition when the GEMAL 144 cards
> > came out but the cackey libraries did at least work and coolkey
> > eventually caught up.
> > 
> > One thing is for sure... the cackey RPM from forge.mil is not 
> > a drop-in
> > replacement for coolkey. The cackey RPM only installs the libraries
> > themselves, nothing else. It doesn't even register them in 
> > the nss db I
> > had to do that manually with modutil. I must be missing something...
> > 
> > Without direct access to forge.mil it's difficult to troubleshoot
> > cackey. For some silly reason they still require CAC authentication to
> > get the CAC software and drivers and access the forums, etc.
> 
> Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support <dgisa.tinker.ops.list.pkesupport at mail.mil>

No, but thank you for the contact info. Even though I've got my issue
resolved, I'd be happy to help iron out the cackey package issues if
someone wants.

> > 
> > More relevant information below...
> > 
> > I'd be grateful for any ideas or advice on this. I desperately need to
> > retrieve vulnerability reports, patches, and other DoD resources.
> > Thanks!
> > 
> > Cal Webster
> > 
> 
> I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.

Thanks but that won't be necessary now unless someone else needs the
help.

> > 
> > 
> > 
> > Smart Card Reader:
> > SCM Microsystems Inc. SCR3310 USB Smart Card Reader 
> > (21120628202509) 00
> > 00-0
> > 
> > Old CAC:	GEMAL TO TOPDL GX4 144
> > New CAC:	G&D FIPS 201 SCE 3.2
> > 
> > 
> > [root at inet3 ~]# cat /etc/redhat-release 
> > CentOS release 6.6 (Final)
> > [root at inet3 ~]# uname -a
> > Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
> > 2014 x86_64 x86_64 x86_64 GNU/Linux
> > [root at inet3 ~]# 
> > 
> > Installed Packages
> > 
> > coolkey.i686                       1.1.0-32.el6                @base
> > coolkey.x86_64                     1.1.0-32.el6                @base
> > firefox.i686                       31.2.0-3.el6.centos        
> >  @updates
> > firefox.x86_64                     31.2.0-3.el6.centos        
> >  @updates
> > thunderbird.x86_64                 31.2.0-3.el6.centos        
> >  @updates
> > pcsc-lite.x86_64                   1.5.2-14.el6               
> >  @base   
> > pcsc-lite-devel.x86_64             1.5.2-14.el6               
> >  @base   
> > pcsc-lite-libs.x86_64              1.5.2-14.el6               
> >  @base   
> > nss.i686                           3.16.1-14.el6              
> >  @base   
> > nss.x86_64                         3.16.1-14.el6              
> >  @base   
> > nss-devel.x86_64                   3.16.1-14.el6              
> >  @base   
> > nss-softokn.i686                   3.14.3-18.el6_6            
> >  @updates
> > nss-softokn.x86_64                 3.14.3-18.el6_6            
> >  @updates
> > nss-softokn-devel.x86_64           3.14.3-18.el6_6            
> >  @updates
> > nss-softokn-freebl.i686            3.14.3-18.el6_6            
> >  @updates
> > nss-softokn-freebl.x86_64          3.14.3-18.el6_6            
> >  @updates
> > nss-softokn-freebl-devel.x86_64    3.14.3-18.el6_6            
> >  @updates
> > nss-sysinit.x86_64                 3.16.1-14.el6              
> >  @base   
> > nss-tools.x86_64                   3.16.1-14.el6              
> >  @base   
> > nss-util.i686                      3.16.1-3.el6               
> >  @base   
> > nss-util.x86_64                    3.16.1-3.el6               
> >  @base   
> > nss-util-devel.x86_64              3.16.1-3.el6               
> >  @base   
> > 
> > 
> > [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
> > 
> > Listing of PKCS #11 Modules
> > -----------------------------------------------------------
> >   1. NSS Internal PKCS #11 Module
> > 	 slots: 2 slots attached
> > 	status: loaded
> > 
> > 	 slot: NSS Internal Cryptographic Services
> > 	token: NSS Generic Crypto Services
> > 
> > 	 slot: NSS User Private Key and Certificate Services
> > 	token: NSS Certificate DB
> > 
> >   2. CoolKey PKCS #11 Module
> > 	library name: libcoolkeypk11.so
> > 	 slots: 1 slot attached
> > 	status: loaded
> > 
> > 	 slot: SCM Microsystems Inc. SCR3310 USB Smart Card 
> > Reader (21120628202
> > 	token: WEBSTER.CALVIN.DALE.9427154028
> > 
> >   3. cackey
> > 	library name: libcackey.so
> > 	 slots: 2 slots attached
> > 	status: loaded
> > 
> > 	 slot: CACKey Slot
> > 	token: WEBSTER.CALVIN.DALE.9427154028
> > 
> > 	 slot: CACKey Slot
> > 	token: DoD Certificates
> > -----------------------------------------------------------
> > [root at inet3 ~]# 
> > 
> > 
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> > 
> > 
> 
> 
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -                                                               -
> - Jason Pyeron                      PD Inc. http://www.pdinc.us -
> - Principal Consultant              10 West 24th Street #100    -
> - +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
> -                                                               -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00. 
> 
> ------=_NextPart_000_0481_01D00F25.D30E4A00--
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos





More information about the CentOS mailing list