On Wed, Dec 11, 2019 at 02:21:48PM +0100, Hubert Kario wrote: > On Saturday, 7 December 2019 11:20:17 CET, Ilari Liusvaara wrote: > > > > One test I just tried: > > > > - Smartcard capable of raw RSA. > > - OpenSC PKCS#11 drivers. > > - Firefox ESR 68 > > - Server supports TLS 1.3 (Accept RSA PKCS#1v1.5 client signatures is > > enabled[2]). > > > > Result: Failed. Client hits internal error code SEC_ERROR_LIBRARY_FAILURE > > [3]. > > That doesn't match my understanding of how NSS works – AFAIK, NSS (and as > such, Firefox), will try both raw RSA and rsa-pss signatures with the token, > depending on what kind of algorithms the token advertises. > > I think the issue was the old version of OpenSC, new versions can do rsa-pss > with rsa-raw: > https://bugzilla.redhat.com/show_bug.cgi?id=1595626 > https://github.com/OpenSC/OpenSC/pull/1435
Ok, upgrading the OpenSC to git master (0.20.0-rc34-2-gee78b0b8) makes client certificates in TLS 1.3 in Firefox work with that card (works even if accept RSA PKCS#1v1.5 client signatures is disabled on server side). There is apparently no release with the fix. One needs 0.20-rcX or recent git master. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
