Firefox Fails To Authenticate .mil Sites With New DoD CAC

Home » CentOS » Firefox Fails To Authenticate .mil Sites With New DoD CAC
CentOS 6 Comments

Can anyone help with getting the new DoD CACs (Smart Card) to work in CentOS 6.6? I don’t use it for console logins, only for email and .mil web sites.

I recently had to get a new DoD CAC (Smart Card) when one of the buildings I work in upgraded their security system. My old CAC was working fine prior to this for signing and encrypting email and for authenticating to various DoD (.mil) sites from the Internet using the coolkey libraries.

After getting my new CAC I am no longer able to authenticate to any DoD
sites. I can still sign and encrypt email in Thunderbird via the coolkey libraries but .mil sites either simply display blank pages or raise various errors in firefox. I am prompted for my PIN, which is successfully accepted but I’m not even prompted for which cert to use, like I used to be.

I’ve tried installing and loading the latest “cackey” libraries (see below) but when I insert my CAC and attempt to login to the module in the Mozilla device manager it completely freezes firefox. Recovery requires killing firefox. If I remove the latest and install the next previous cackey library it works the same as coolkey – doesn’t freeze up firefox but never connects to .mil sites.

I tried building the cackey RPMs from the source RPMs too but the result is the same.

Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm Next previous cackey: cackey-0.6.5-2444.x86_64.rpm

I’m pretty sure it has something to do with the newer PIV CAC internal layout. I went through a similar transition when the GEMAL 144 cards came out but the cackey libraries did at least work and coolkey eventually caught up.

One thing is for sure… the cackey RPM from forge.mil is not a drop-in replacement for coolkey. The cackey RPM only installs the libraries themselves, nothing else. It doesn’t even register them in the nss db I
had to do that manually with modutil. I must be missing something…

Without direct access to forge.mil it’s difficult to troubleshoot cackey. For some silly reason they still require CAC authentication to get the CAC software and drivers and access the forums, etc.

More relevant information below…

I’d be grateful for any ideas or advice on this. I desperately need to retrieve vulnerability reports, patches, and other DoD resources. Thanks!

Cal Webster

Smart Card Reader:
SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00
00-0

Old CAC: GEMAL TO TOPDL GX4 144
New CAC: G&D FIPS 201 SCE 3.2

[root@inet3 ~]# cat /etc/redhat-release CentOS release 6.6 (Final)
[root@inet3 ~]# uname -a Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
[root@inet3 ~]#

Installed Packages

coolkey.i686 1.1.0-32.el6 @base coolkey.x86_64 1.1.0-32.el6 @base firefox.i686 31.2.0-3.el6.CentOS @updates firefox.x86_64 31.2.0-3.el6.CentOS @updates thunderbird.x86_64 31.2.0-3.el6.CentOS @updates pcsc-lite.x86_64 1.5.2-14.el6 @base
pcsc-lite-devel.x86_64 1.5.2-14.el6 @base
pcsc-lite-libs.x86_64 1.5.2-14.el6 @base
nss.i686 3.16.1-14.el6 @base
nss.x86_64 3.16.1-14.el6 @base
nss-devel.x86_64 3.16.1-14.el6 @base
nss-softokn.i686 3.14.3-18.el6_6 @updates nss-softokn.x86_64 3.14.3-18.el6_6 @updates nss-softokn-devel.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl.i686 3.14.3-18.el6_6 @updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 @updates nss-softokn-freebl-devel.x86_64 3.14.3-18.el6_6 @updates nss-sysinit.x86_64 3.16.1-14.el6 @base
nss-tools.x86_64 3.16.1-14.el6 @base
nss-util.i686 3.16.1-3.el6 @base
nss-util.x86_64 3.16.1-3.el6 @base
nss-util-devel.x86_64 3.16.1-3.el6 @base

[root@inet3 ~]# modutil -list -dbdir /etc/pki/nssdb

Listing of PKCS #11 Modules
———————————————————

6 thoughts on - Firefox Fails To Authenticate .mil Sites With New DoD CAC

  • Does your system trust CA32?

    I see

    Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32
    Validity
    Not Before: Nov 24 00:00:00 2014 GMT
    Not After : Jan 30 23:59:59 2015 GMT
    Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383

    Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support

    I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.

  • Was source for this upstream enhancement released to the community? Not sure what you meant by “The two” – you mean coolkey and cackey?

    pcsc-lite-1.5.2-14.el6.x86_64 (listed on original post) contains pcscd. Sure that’s possible but I see nothing to support that in the system logs.

    I just got a cackey developer contact on forge.mil today from a Civil Svc engineer who does have access so I’ll send him my data too.

    Thanks Mark.

  • That’s a very good point, Jason. I could not locate that CA in the certs being stored for Firefox. It is, however, listed in the CA store in Thunderbird, which I’ve had no trouble using with coolkey libs. The trust settings there are all un-checked, though.

    I had also installed the latest dod_configuration-1.3.7.xpi extension which automatically downloads the latest DoD certs on installation. I
    assumed it was a complete set. After reading your message I went ahead and clicked the [Update DoD Certs…] button in the add-on preferences too – Still not listed. Apparently this cert is missed during this process.

    I went ahead and exported the cert from Thunderbird, then imported it into firefox. Now I’m up and running again.

    It’s often the simple things we overlook, which is why it’s nice to have a community to bounce things off of.

    Thanks for the help Jason.

    No, but thank you for the contact info. Even though I’ve got my issue resolved, I’d be happy to help iron out the cackey package issues if someone wants.

    Thanks but that won’t be necessary now unless someone else needs the help.

  • DoD does use RHEL for the critical infrastructure hosts and in our case for training simulators. The issue here was with a separate non-DoD
    asset used to retrieve security updates and to conduct research to support engineering efforts on isolated, stand-alone networks. The isolated networks are not allowed to touch the Internet. CentOS 6 (and recently 7) has been approved for engineering labs and certain R&D
    facilities too, BTW – You’ll see it if you do a search in DADMS. We do use CentOS for local general purpose servers and workstations.

  • It must have been in the coolkey-1.1.0-32 update.

    Build Date: Wed 15 Oct 2014 11:11:10 AM EDT
    Install Date: Wed 29 Oct 2014 05:04:04 AM EDT

    Yes, I learned to avoid opensc years ago when we first setup the CACs.

    A missing CA cert turned out to be the problem. I checked after Jason Pyeron was kind enough to mention “MAIL CA-32” listed on my CAC cert lookup. Sure enough, it was missing in the Firefox CA store but present in the Thunderbird store. This explains why I could sign and encrypt email but not access .mil web sites. When I used the dod_configuration mozilla add-on to update the certs I assumed it would get them all. Apparently not. In fact, I think it deleted this cert because I recorded everything on my previous CAC before getting the new one. It was also using CA-32. I ended up just exporting the cert from Thunderbird and importing it into Firefox.

    ./Cal