Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use certificates #4

Open
egustin opened this issue Feb 5, 2018 · 3 comments
Open

Cannot use certificates #4

egustin opened this issue Feb 5, 2018 · 3 comments

Comments

@egustin
Copy link

egustin commented Feb 5, 2018

Hi,

In my company we have policy, that all certificate have to be stored in Windows certificate store. This rule prevent as to use Firefox as our default browser.
For this reason I tried P11-Capi. After the installation, I can see all my certificates from Windows store, but I cannot use them. When I try to open the SSL web page, Firefox seems that is not able to access the certificates and looks like I don't have any certificate installed.
Did I missed something during the installation or is a bug?

Thank you for your help.

Elvis
@rmhrisk
Copy link

rmhrisk commented Feb 5, 2018

Elvis,

If I understand correctly you are able to see the certificates in the Firefox certificate management user experience but the certificates are not being displayed in the certificate picker when doing a TLS session?

If so the issue may be related to the way certificates are filtered and the information that the server is sending to the client (FF) to search for certificates.

In TLS the server sends a message called a CertificateRequest which provides the client some hints on how to help the user pick a certificate it will accept.

If the server sends root certificates, for example, the client would need to build the certificate chain for each of the available client certificates to see if there is a certificate issued by that root.

In theory, if Firefox does not have the intermediate certificates available and the server is sending root certificates then your certs could be filtered.

Maybe try to load all the intermediate certificates into Firefox to confirm this fixes the issue; you can also use openssl s_client to look at what issuer certificate names are being sent by the server.

@egustin
Copy link
Author

egustin commented Feb 8, 2018

Hello,

Yes, you understand well, but importing intermediate certificates into Firefox didn't solve the issue. It is still the same; web pages are still responding NoCert.
Any other suggestion? Is it maybe possible to present entire Windows certificate store (User) to Firefox?

Thank you.

Elvis

@rmhrisk
Copy link

rmhrisk commented Feb 8, 2018
edited
Loading

@egustin no it is not possible to bypass the server provide certificate filter in any of the major browsers.

Did you try looking at what was being sent by the server by using the openssl s_client command? This would help you understand what filter is being applied by Firefox. You can find a windows build of OpenSSL here.

The command you would want to run would be similar to this one:

openssl s_client -tls1_2 -servername example.com  -connect example.com:443 -showcerts

It should send a list of issuer names that the client should filter on, you want to look at your certificate store in Firefox and make sure those certificate names are present and that all the other certificates in the chain are present.

I can't think of any other advice to offer; I actually do not use this library because of its license so I created a new one I call pvpkcs11 but it would have the same issue here.

Not sure I can help more than I have, good luck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmhrisk @egustin