5

I need some help to understand what is happening with my web application. I have a simple web app (c# .Net 2.0) that uses a smartcard authentication. In my testing box (win 2k3 32 bits, iis6) everything works fine but in my production box (win2k3 64 bits, iis6) firefox is unable to send the certificate, hosted in the card, to the server (the collection Request.ClientCertificate is empty). If I try to browse the same production site with IE (6, 7 and 8) or Safari it works.

IIS's configuration is the same on both servers: same ssl certificates, same CTL. I’ve been read a lot about firefox problems with certificates but none of them matches mine.

If any of you can give a clue of what is happening I will be very thankful.

Glauco.

GRGodoi
  • 1,946
  • 2
  • 24
  • 38

2 Answers2

1

Do you run Firefox on the same machine (and thus the 64/32 bit difference) or both times on the same client computer (I would assume 32bit here), and it does not work for you when the server is different (64bit)?

Does Firefox see the certificate (Preferences -> Advanced -> Encryption -> "View certificates -> My Certificates" and "Security devices")? Enable "Ask every time" for certificate selection and verify that Firefox indeed tries to use the card.

Which card (manufacturer, type) and software (PKCS#11 provider) do you use?

Martin Paljak
  • 4,119
  • 18
  • 20
  • The browser runs always in a 32 bit box. FireFox is well configured because it works in the test environment. In tests I can see the dialog that allows me to choose the certificate. I don't know the manufacturer or the type of the card :( but I need to set up firefox to use pteidpkcs11.dll existing in windows\system32. – GRGodoi Aug 26 '09 at 10:47
1

Disclaimer: this is only based my own observations.

As of version 22.0, Firefox will not present the client certificate at all if the CN ("common name") field of the server's certificate appears to be a DNS name but does not match the host it is talking to (i.e. the hostname in the URL bar).

If you think this may be your issue, you could test it by either ensuring that the host you request is the one in the CN field of the server cert, or by providing a self-signed cert with a silly value like "Jim Bob" in the CN field.

wberry
  • 18,519
  • 8
  • 53
  • 85
  • So there is no way to view the SSL cert under this circumstance? – Underverse Mar 18 '19 at 07:28
  • This was years ago now. Worth retesting. You could retrieve the cert with openssl or curl if needed. Or maybe another browser, chrome etc. – wberry Mar 18 '19 at 12:38