linux_cac icon indicating copy to clipboard operation
linux_cac copied to clipboard

Published 20 hours ago verified publisher icon jdjaxon

ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS

Open mrawding opened this issue 1 year ago • 10 comments

Cannot login into Teams or Webmail anymore

OS: Ubuntu 22.04 LTS Browser: Chrome Details: Used to get this every once in awhile, a refresh/restart of chrome would usually do the trick. I can't get past it now. Do I need to update the certificates - it has been while since reinstalling this repo.

Wondering if anyone else runs into this issue. Happy to be a guinea-pig for anything to test.

image

mrawding avatar Dec 14 '23 23:12 mrawding

I have run into the same problem on Ubuntu 22.04.3 LTS and Chrome. It worked in the past and few weeks ago I started receiving the same error.

ihatecascardo avatar Jan 03 '24 15:01 ihatecascardo

I can also confirm getting the same error on Edge and Chrome on Kubuntu 22.04. I am able to get into other sites like Evals and the ticketing system. I also am getting this issue when attempting to use the web version of the rdp client to login to the Army Virtual Desktop.

pdzaffina avatar Jan 07 '24 22:01 pdzaffina

I ran into this issue as well on Ubuntu 22.04.3 using Chrome + Firefox (though FF just says it fails, not specifically with this error).

In the long term this is probably not the right option, but I was able to access them again with either browser by disabling TLS 1.3.

Firefox was actually pretty easy to disable:

  1. Go to about:config
  2. Search for security.tls
  3. Find security.tls.version.max and set it to 3 (which is TLS 1.2)
  4. Restart firefox
  5. I was able to login successfully.

Chrome is a little wonky since it doesn't have a flag for it (I looked in chrome://flags/ but found nothing). However, there was the ability to pass in a command line argument it seems to do what I wanted.

With all of my chrome windows closed, I opened a terminal and typed

google-chrome-stable --ssl-version-max=tls1.2

And I was able to access Outlook and Teams.

Again, this is probably not the right long term solution, but at least a workaround for now (well at least for me)

jonselling avatar Jan 08 '24 19:01 jonselling

I can confirm this fix has worked for me on Ubuntu 22.04 LTS - I've only tested the google-chrome fix. @jonselling big fan of yours for finding this work around!

If you don't want to launch chrome in a terminal for the foreseeable future - you can add the --ssl-version-max=tls1.2 argument to

line 49 of /opt/google/chrome/google-chrome

It should look like:

# Note: exec -a below is a bashism.
exec -a "$0" "$HERE/chrome" "--ssl-version-max=tls1.2" "$@"

mrawding avatar Jan 09 '24 21:01 mrawding

I can confirm this fix has worked for me on Ubuntu 22.04 LTS - I've only tested the google-chrome fix. @jonselling big fan of yours for finding this work around!

If you don't want to launch chrome in a terminal for the foreseeable future - you can add the --ssl-version-max=tls1.2 argument to

line 49 of /opt/google/chrome/google-chrome

It should look like:

# Note: exec -a below is a bashism.
exec -a "$0" "$HERE/chrome" "--ssl-version-max=tls1.2" "$@"

Thank you and jonselling for the temp fix.

ihatecascardo avatar Jan 11 '24 15:01 ihatecascardo

I appreciate you all helping out here! I was running into similar issues for a bit, but they were intermittent. I believe the root of this issue is cackey. I posted a potentially more permanent solution here if you'd like to try it: https://github.com/jdjaxon/linux_cac/issues/22#issuecomment-1912147901

Please let me know if you attempt this transition to OpenSC and if it helps.

jdjaxon avatar Jan 26 '24 14:01 jdjaxon

I switched to OpenSC before and it didn't seem to work but I tried again and was a little more diligent about removing some things (thanks to some help from a co-worker pointing me to the right places). After purging cackey, I also went through and deleted a few more things.

  1. In the ~/.pki database, I used (from home directory) modutil -dbdir sql:.pki/nssdb/ -list to show me the older module that referenced cackey, I found the name used and did a modutil -dbdir sql:.pki/nssdb/ -delete "<name>". I verified it got deleted with another list check and did not see it there.
  2. In firefox, I went to the Settings -> "Privacy & Security" -> "Certificates" -> "Security Devices" and Unloaded the Module that referenced my CAC (NOT the PKCS 11 Module or any other module I had there)

I deleted those, installed opensc, and did the pkcs11-register function, which added the module into the ~/.pki database.

For firefox, I went to the same devices location and "Loaded" a new module, but pointing to the library file at /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so.

After all of that, I didn't restart my computer, but they still failed initially to connect to Outlook. I tried a couple times, removing and re-inserting my CAC, closing and re-opening browsers, and now it seems to be in a consistent state that I can access Microsoft 365 stuff on my browsers!

I made sure to remove the configuration changes for restricting the TLS version and it still works! Thanks!

jonselling avatar Jan 26 '24 16:01 jonselling

I switched to OpenSC before and it didn't seem to work but I tried again and was a little more diligent about removing some things (thanks to some help from a co-worker pointing me to the right places). After purging cackey, I also went through and deleted a few more things.

1. In the `~/.pki` database, I used (from home directory) `modutil -dbdir sql:.pki/nssdb/ -list` to show me the older module that referenced cackey, I found the name used and did a `modutil -dbdir sql:.pki/nssdb/ -delete "<name>"`. I verified it got deleted with another list check and did not see it there.

2. In firefox, I went to the Settings -> "Privacy & Security" -> "Certificates" -> "Security Devices" and Unloaded the Module that referenced my CAC (**NOT** the PKCS 11 Module or any other module I had there)

I deleted those, installed opensc, and did the pkcs11-register function, which added the module into the ~/.pki database.

For firefox, I went to the same devices location and "Loaded" a new module, but pointing to the library file at /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so.

After all of that, I didn't restart my computer, but they still failed initially to connect to Outlook. I tried a couple times, removing and re-inserting my CAC, closing and re-opening browsers, and now it seems to be in a consistent state that I can access Microsoft 365 stuff on my browsers!

I made sure to remove the configuration changes for restricting the TLS version and it still works! Thanks!

Thank you for the fast response!

I'm trying to pin down what causes this weird behavior so that I can transition to OpenSC in the script. This process worked for me after just running the commands that I listed. For others, it requires a reboot even if they run the pkcs11-register command, which mostly just adds the OpenSC module to each database's respective pkcs11.txt file, effectively loading the module. The error states may have simply been cached and automatically cleared themselves after some time.

Either way, I do appreciate your feedback!

jdjaxon avatar Jan 26 '24 16:01 jdjaxon

I switched to OpenSC before and it didn't seem to work but I tried again and was a little more diligent about removing some things (thanks to some help from a co-worker pointing me to the right places). After purging cackey, I also went through and deleted a few more things.

1. In the `~/.pki` database, I used (from home directory) `modutil -dbdir sql:.pki/nssdb/ -list` to show me the older module that referenced cackey, I found the name used and did a `modutil -dbdir sql:.pki/nssdb/ -delete "<name>"`. I verified it got deleted with another list check and did not see it there.

2. In firefox, I went to the Settings -> "Privacy & Security" -> "Certificates" -> "Security Devices" and Unloaded the Module that referenced my CAC (**NOT** the PKCS 11 Module or any other module I had there)

I deleted those, installed opensc, and did the pkcs11-register function, which added the module into the ~/.pki database.

For firefox, I went to the same devices location and "Loaded" a new module, but pointing to the library file at /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so.

After all of that, I didn't restart my computer, but they still failed initially to connect to Outlook. I tried a couple times, removing and re-inserting my CAC, closing and re-opening browsers, and now it seems to be in a consistent state that I can access Microsoft 365 stuff on my browsers!

I made sure to remove the configuration changes for restricting the TLS version and it still works! Thanks!

Thank you for the fast response!

I'm trying to pin down what causes this weird behavior so that I can transition to OpenSC in the script. This process worked for me after just running the commands that I listed. For others, it requires a reboot even if they run the pkcs11-register command, which mostly just adds the OpenSC module to each database's respective pkcs11.txt file, effectively loading the module. The error states may have simply been cached and automatically cleared themselves after some time.

Either way, I do appreciate your feedback!

No problem! My "cleaning" also might have been overkill, my co-worker just recommended doing it so I did since it didn't seem like it would cause an issue. Maybe a reboot cleans some of that up if the .so file disappears?

jonselling avatar Jan 26 '24 17:01 jonselling

Running pkcs11-register theoretically should have added the OpenSC modules to each browser, but it wouldn't have removed the Cackey modules. I think your cleanup was appropriate. I use a VM and go to some pretty wild lengths to debug this setup, often going nuclear and reverting to a baseline snapshot.

Regardless, OpenSC seems to be performing better. I'm glad you were able to get back operational.

jdjaxon avatar Jan 26 '24 17:01 jdjaxon