Richie B. wrote:
I have a customer who is running IIS 5.0. We need to contact a page on that server that is protected with SSL and requires client certificates. I have imported the client certificate in Mozilla 1.4 on Linux. When I access the page, the server responds:
HTTP 403.7 - Forbidden: Client certificate required
The "User Identification Request" popup is never shown. However, when I connect with IE6, a similar popup is shown, and I can access the page. Also, using "openssl s_client -cert client.pem" works fine and shows the page.
I have tried to debug this, but the problem is that the server only requests the client certificate after the browsers sends the GET statement. So, the first (readable) handshake is without client certificates. The renegotiation that happens after the GET is encrypted and I cannot see the problem.
I am guessing this is an IIS issue, but I cannot prove it.
Has anyone else seen this? Any ideas?
First, make sure that you set your client to always prompt you to select the certificate.
I don't know how you specifically configure this in IIS, however :
When doing client auth, the SSL protocol requires the server to send the subject name(s) of the trusted certificate authority(ies) to the client. You need to configure the certificates you trust for client auth in IIS.
Some misconfigured servers may not send over the subject list. If that's the case, Mozilla may have a hard time choosing a client certificate.
If you trust the CAs it will most likely solve your problem.
It may also be that your client certificate was incorrectly imported in Mozilla, or its issuer doesn't match the subject sent over by IIS.
If none of this applies, there may be a Mozilla/PSM/NSS bug, but in order to solve it we most likely will have to be able to access your server.
