On 04/20/2011 06:00 AM, james07 wrote: > Hi, > > I have added an external PKCS#11 token via Device Manager in Firefox 3.6.15. > I then import a PKCS#12 file containing a client SSL key and certificate > signed by a trusted CA, specifying the external token as the key and > certificate store. The import is successful however when I attempt to access > a website over mutual SSL with the newly imported certificate I get an > authorized error. If I restart the browser then the connection is > successful. > > Are SSL certs being cached by the browser? Yes, sort of. Client Auth only happens on full handshakes. If you connect to a server with a client auth cert, then your connection will continue to use that cert unless either the client or the server trigger a renegotiation. This isn't likely to be your problem, but it could be. There used to be a 'logout all' button somewhere in the browser. I don't know if it still exists. That button would flush all our SSL caches and force full handshakes.
NSS does automatically flush the one cache entry for your smart card if you remove it, so if removing your smart card and trying to access the site again causes this problem, it's an SSL cache level issue. In addition, whenever SSL wants to do client auth, it asks the browser what cert it wants to use. The browser used to select the certificate automatically, but that was deemed a privacy issue by mozilla drivers, so now it's set to ask everytime. I think that some sort of 'remember this choice' was implemented to deal with apache servers, which often did not have SSL caches set up and did full handshakes on every connection (thus winding up with tons of prompts when you turned client auth on I don't know how that cache entry is set or cleared. bob > If so, is it possible to refresh > the cache to include a newly imported certificate on an external PKCS#11 > device without having to restart the browser? > > Thanks, > James >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
