Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

SSL Client autentification failed. Firefox does not open dialog with certificates.

  • 11 个回答
  • 31 人有此问题
  • 1 次查看
  • 最后回复者为 guigs

more options

I have problem accessing SSL client auth protected websites.

Security module is succesfully loaded, Login via Security module is OK and I can see certificates from SmartCard in Firefox "Your Certificates" tab. When I navigate to SSL protected website Firefox does not open pop-up certificate dialog with my certificates list and I can't login to website.

I also try not to login via Security module directly and then, when I came to website, Firefox detect SSL client Auth request from website and backend middleware raise pop-up pin dialog. Again, I have logged in successfully into smartcard via middleware, certificates are loaded in "Your certificates" tab but Firefox does not opening certificate dialog.

Middleware is ActivClient 6.2 and Firefox version is 25. I also try with different Firefox/ActivClient version combination but same problem still exists.

Also, Firefox on Linux works ok (combination with Coolkey). I also try Coolkey and Firefox on Windows OS and also working.

Problem exists only with Firefox/ActivClient combination.

Does anybody have solution for this problem?

Thnx...

I have problem accessing SSL client auth protected websites. Security module is succesfully loaded, Login via Security module is OK and I can see certificates from SmartCard in Firefox "Your Certificates" tab. When I navigate to SSL protected website Firefox does not open pop-up certificate dialog with my certificates list and I can't login to website. I also try not to login via Security module directly and then, when I came to website, Firefox detect SSL client Auth request from website and backend middleware raise pop-up pin dialog. Again, I have logged in successfully into smartcard via middleware, certificates are loaded in "Your certificates" tab but Firefox does not opening certificate dialog. Middleware is ActivClient 6.2 and Firefox version is 25. I also try with different Firefox/ActivClient version combination but same problem still exists. Also, Firefox on Linux works ok (combination with Coolkey). I also try Coolkey and Firefox on Windows OS and also working. Problem exists only with Firefox/ActivClient combination. Does anybody have solution for this problem? Thnx...

由fredast于修改

所有回复 (11)

more options

Hi fredast

I am trying to reproduce this issue and I have a few questions:

  • In your option> Advance> Certificates there is an option:"When a server requires my personal certificate"Is this set to "automatic" or "always ask"?
  • Are you managing the certificate manually then navigating to the page?
  • what version of ssl are the pages using? you can change this manually I believe

[http://www.mozilla.org/projects/secur.../ssl_help.html]

more options

Hi,

 * I try both. "Automatic" and "Always ask". "Always ask" option is default and works in other browsers and Firefox on LinuxOS
 * No. I navigate to the page->Page request SSL auth->Then I type PIN in ActivClient prompt dialog (automatically displayed when page requests auth)-> My Certificates from SmartCard are automatically displayed in "Your Certificates" Tab.
* It's TLS 1.0
more options

Hi fredast,

I did some more research on this and it looks like you have to go the about:config page and mess with this setting:


You'll need to enable SSL renegotiation, do this by pointing your browser to about:config. After confirming that you know what you are doing, you need to start typing in:

"security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref set it to true (by double clicking it). " Ref: [http://militarycac.com/firefox.htm]
  • see cor-el's post about security

由guigs于修改

more options

It is not recommended to mess with that global security setting, but add trusted hosts instead if you really need to.

See this link for information about 'Renegotiation' (CVE-2009-3555):

You can look at the security.ssl.renego_unrestricted_hosts pref on the about:config page and add the sites that you want to allow to the string value.
Separate multiple host names by a comma.

more options

Hi,

I've already try playing with those settings. "security.ssl.renego_unrestricted_hosts" was first option that I play with (and some other ssl and network options didn't make me happy)...But, nothing happens...Deffinitely, I think it's not website/webserver problem because this site works with other smartcards and middlewares. Also, with this combination I have problem with another websites...So, I'm pretty sure it's something with SmartCard/ActivClient/Firefox combination. Another weird thing is that my SmartCard work with Firefox and CoolKey library...Strange.....I have made another test with Alladin SmartCard eToken and SafeNet Auth Client Middleware...Everything works perfectly in Firefox...

I will try with another SmartCard (another manafacturer) that holds same certificates like my currently smartcard (same issuer)...

Anyway...I'm running out of ideas....

由fredast于修改

more options

Hi,

I tried all the above options, but still i'm not able to see any popup or option to select client certificate.

1. "Ask me every time" is selected. 2."Security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref" is set to true. 3. "security.ssl.renego_unrestricted_hosts" added my website address to this. 4. Imported client certificate to "Your Certificates" tab.

Please let me know, if i have done something wrong with settings.

Thanks, Mohan

more options

Are you using the same combination SmartCard/ActivClient/Firefox ? Does that combination use OCSP or CCRL? IF so it looks like both need to be OSCP aware, the is enabled by defualt but to check if Firefox is OSCP you can go to Options> Advanced> Tools and click on Validation.

A trick you can use to troubleshoot where any validation or blockage is using wireshark or backtrack with Firefox. My favorite tool though is Live HTTP Headers https://addons.mozilla.org/en-US/fire.../live-http-headers/ I hope this helps in the right direction. If you are seeing Firefox is blocking please do let us know and we can open a bug :-)

由guigs于修改

more options

Thanks for your reply.

Good thing is I am able get the certificate popup, but still with some issue. My client certificate has 3 level hierarchy.

1. Parent Root Certificate(Self Signed Certificate) 2. Child Parent Root Certificate(Issued by Parent Root Certificate) 3. Client Certificate (Issued by Child Parent Root)

In "Your Certificates" tab, I have imported my Client Certificate, Child Parent Root and Parent Root, but when I try to access the website, the certificate popup shows only Parent Root certificate, it does not show up the remain two certificates.

If I select Parent Root certificate, I'm able to access the website but not able to select the required client certificate.

Also I tried to import the Root certificates to Authorities tab, but some how they are not getting imported, no error message is displayed, it simply doesn't import anything.

I'm using Firefox 26.0 (No SmartCard or ActiveClient) with OCSP selected.

Please let me know your views on this.

Thanks & Regards, Mohan G

more options
more options

Hi on second thought I followed up with the #security channel on this and found that automatically accepting certificates can be bad. And if If the security.ssl.allow_unrestricted_renego_yeverywhere__temporarily_available_pref has an effect then that means that the website is not working properly.

more options

Hi fredast, I know it has been quite a while since there was activity in this thread. However the bug that was filed for this is asking if it was still an issue in the current version of Firefox. Are you still experiencing this in Firefox 46?