I've managed to sort out my previous problem of getting coolkey and
stunnel to play well together. I can now use my CAC card to
authenticate with stunnel to my internal web proxy and then successfully
browse internal websites as though I was internal.
The problem I was having seems to be thread based. I could connect, but
as soon as I sent a request in Firefox my browser would attempt multiple
connections across the stunnel and that would seem to cause threading
issues in coolkey and the session would reset. I fixed this by setting
this about:config option in Firefox:
network.http.max-persistent-connections-per-proxy to 1
Once I had that I could browse internally with no problems since Firefox
would only ever use one stunnel connection at a time. That is until I
tried going to an internal webserver that required client certificate
authentication. Then my system would be trying to access the CAC card
for the stunnel and the webserver. When I did that I saw these error
messages.
From my stunnel client:
2008.03.10 14:33:44 LOG3[4830:0]: error stack: 14099004 :
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
2008.03.10 14:33:44 LOG3[4830:0]: SSL_connect: 8000A032:
error:8000A032:Vendor defined:PKCS11_rsa_sign:Device removed
And from # pcscd -adf
...
00000026 ifdhandler.c:1278:IFDHICCPresence() Card present
00043562 winscard_msg_srv.c:288:SHMProcessEventsContext() correctly
processed client: 9
00000023 winscard_svc.c:747:MSGCheckHandleAssociation() Client failed to
authenticate
00356566 ifdhandler.c:1166:IFDHICCPresence() lun: 0
Needless to say, some of the most interesting internal sites are the
ones that require client authentication. Is this a known limitation of
coolkey? Any thoughts on how I can get around this?
-matt
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
