RE: multiple certificate selection dailogs
Does your module attempt to force the user to (re)authenticate to it every time it needs to use the private key? Does it attempt to do this by (re)entering a read-only state such as CKS_RO_PUBLIC_SESSION after it performs a private key operation? If so, that's your problem. The module enters CKS_RO_USER_FUNCTIONS after a successful login (C_Login) and stays so until (C_Logout) when I put the status of all sessions to CKS_RO_PUBLIC_SESSION. The certificate select dialog happens between two to Signs... - enter site url - C_Login (enter pin) = if OK then CKS_RO_USER_FUNCTIONS - Cert selection dialog - C_SignInit - C_Sign - Enters site, display user info and confirm login button, (then click) - Cert selection dialog (the second one) - C_SignInit - C_Sign - on site When testing today, the logons (on that apache site) they were as they should be, no multiple selection of certificates... Also we have set up another similar site on a windows machine with IIS, and there also were no such problems... Therefore it really seems the guys of that site had their apache misconfigured, and now I can tell them so... ...thanks -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
multiple certificate selection dailogs
Hello everybody, I am developing a PKCS11 module, and when testing it in Firefox (3.6.3 for eg.), despite selecting remember selected certificate I do get multiple certificate selection dialogs in sequence at SSL session start...so I have to reselect the same cert, say twice... I enter the https of the target site, I get asked about the cert - I select it, then the site displays my info and offers me an enter site button, then it asks me again for the cert... this is was confuses me... why? I've been looking for a solution now for some time, but without success... What colud be the most likely cause for this? ... The behaviour is not dependant on how many certificates I have on the card (or how many cert. objects I create). I always create three objects per a certificate... CKO_CERTIFICATE, CKO_PUBLIC_KEY, CKO_PRIVATE_KEY. All of them contain CKA_LABEL, CKA_ID, CKA_ISSUER, CKA_SUBJECT... and other per specification attributes. In fact it all seems to work fine, except, that I get asked for the cert multiple times... If you'd need more info, please let me know... I'd be gratefull for any assistance. Thanks Sandor Feldi Developer T: +386 1 548 38 42 Adacta d.o.o., Leskoškova 9d, 1000 Ljubljana, Slovenija T: +386 1 548 38 00, F: +386 1 548 39 00, www.adacta.sihttp://www.adacta.si Consider IT done. Pravno obvestilohttp://www.adacta.si/pravno.htm Legal noticehttp://www.adacta.si/legal.htm -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: multiple certificate selection dailogs
Šandor Feldi wrote: I do get multiple certificate selection dialogs in sequence at SSL session start...so I have to reselect the same cert, say twice... I enter the https of the target site, I get asked about the cert - I select it, then the site displays my info and offers me anenter site button, then it asks me again for the cert... this is was confuses me... why? The web site is also something you develop ? There's a number of pitfall in apache/mod_ssl configuration that will cause it to throw away the existing user identification info, and ask again. If that's the kind of configuration you are using it's quite likely your problem is more such an apache/mod_ssl problem. https://issues.apache.org/bugzilla/show_bug.cgi?id=48215 https://issues.apache.org/bugzilla/show_bug.cgi?id=48228 https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 https://issues.apache.org/bugzilla/show_bug.cgi?id=44961 You might have a better behavior by making sure you use the latest apache version update and setting the OptRenegotiate option : http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#ssloptions -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: multiple certificate selection dailogs
Jean-Marc Desperrier wrote: The web site is also something you develop ? Thanks for answering. No I do not develop the site and don't have any way to access or configure apache, and it happens on different sites too... I forgot to point out, that when importing a certificate into Firefox's NSS softokn3.dll PKCS11 module, I do not get that behaviour, I get asked for the certificate only once... so considering this, I think it is not an apache issue at all... Another information if it helps...my module interfaces with a smart card... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: multiple certificate selection dailogs
On 2010-05-19 03:40 PDT, Šandor Feldi wrote: Jean-Marc Desperrier wrote: The web site is also something you develop ? Thanks for answering. No I do not develop the site and don't have any way to access or configure apache, and it happens on different sites too... I forgot to point out, that when importing a certificate into Firefox's NSS softokn3.dll PKCS11 module, I do not get that behaviour, I get asked for the certificate only once... so considering this, I think it is not an apache issue at all... Another information if it helps...my module interfaces with a smart card... It really IS an Apache issue. Because there are SO MANY misconfigured and/or miscoded Apache servers out there, Firefox has a workaround for them, but it requires that the PKCS#11 token used to hold the private key be CONTINUOUSLY in a RW User state. Each time the token exits that state, you'll be required to re-authenticate to the token again. Does your module attempt to force the user to (re)authenticate to it every time it needs to use the private key? Does it attempt to do this by (re)entering a read-only state such as CKS_RO_PUBLIC_SESSION after it performs a private key operation? If so, that's your problem. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
