Bug 1461997 - During SSL connection firefox prompts for smartcard pin multiple time when enforce smartcard login is enabled
During SSL connection firefox prompts for smartcard pin multiple time when e...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jakub Jelen
Release Test Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-15 17:16 EDT by Roshni
Modified: 2017-06-19 16:48 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-19 16:48:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Roshni 2017-06-15 17:16:45 EDT
Description of problem:
During  SSL connection firefox prompts for smartcard pin multiple time when enforce smartcard login is enabled

Version-Release number of selected component (if applicable):
opensc-0.16.0-5.20170227git777e2a3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Enable "Require smartcard for login" using authconfig
2. Import CA cert onto firefox and load the smartcard token
3. Access secure website 

Actual results:
Prompt for smart card multiple times

Expected results:
Should accept the pin in the first attemot and prompt to accept the signing cert

Additional info:
Comment 2 Jakub Jelen 2017-06-16 08:02:33 EDT
There is not enough information (configuration, card type and information, what secure site) for me to reproduce this behavior not to see where problem could be (debug logs).
Comment 3 Jakub Jelen 2017-06-16 08:06:22 EDT
In case it is PIV card, this might be caused by the ALWAYS_AUTHENTICATE attribute, that should be set (but was not enforced in Coolkey). The following article provides a way how to workaround it and ask only once:

  https://access.redhat.com/articles/3034441
Comment 4 Roshni 2017-06-16 08:51:05 EDT
It is not a PIV card, it is Gemalto 64K card which is supported by coolkey and pam_pkcs11. I do not see this issue when "Require Smartcard for login" is not set in authconfig, it prompts for pin only once.
Comment 5 Roshni 2017-06-19 16:48:21 EDT
Unable to reproduce this issue, so marking the bug closed for now.

Note You need to log in before you can comment on or make changes to this bug.