Certificates not sent from macOS client

[drazenzubovic]

Problem Description

Certificates not being sent from Chrome and Safari browsers on macOS during TLS handshake. This leads to handshake failure and the error pattern: "Safari can't open the page ... because Safari can't establish connection to the server ..."
The error pattern started to appear by the end of 12.2021 and I see no specific correlation with other events. Prior to this the functionality was ok and stabile for at least 24 months. Currently it is not possible to do the handshake with Safari and Chrome, but it is with Firefox, as Firefox uses external driver association.

macOS Monterey 12.1 21C52
openSC: 0.22 installed wit "brew install -casc opensc"
Safari: 15.2 (17612.3.6.1.6)
Chrome: Version 97.0.4692.71 (Official Build) (x86_64)
Firefox: 95.0.2 (64-bit)

The certificates are btw. properly registered on the macOS:

Last login: Mon Jan 10 18:13:24 on ttys000
# system_profiler SPSmartCardsDataType
SmartCards:

    Readers:

      #01: ACS ACR39U ICC Reader (ATR:{length = 11, bytes = 0x...316})

    Reader Drivers:

      #01: fr.apdu.ccid.smartcardccid:1.4.34 (/usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle)

    SmartCard Drivers:

      #01: org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:1.1.1 (/Applications/Utilities/OpenSCTokenApp.app/Contents/PlugIns/OpenSCToken.appex)
      #02: com.apple.CryptoTokenKit.pivtoken:1.0 (/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/pivtoken.appex)

    Available SmartCards (keychain):

        com.apple.setoken:aks:

        org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:101051712600:

          #01: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x...001}, Usage: Sign
Valid from: 2022-01-10 10:50:11 +0000 to: 2026-01-10 10:50:11 +0000, SSL trust: YES, X509 trust: YES

-----BEGIN CERTIFICATE-----
...asd==
-----END CERTIFICATE-----

          #02: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x..87}, Usage: Decrypt Unwrap
Valid from: 2022-01-10 10:50:14 +0000 to: 2026-01-10 10:50:14 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
...lkasjdlfkja
-----END CERTIFICATE-----

          #03: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x...21e}, Usage: Sign Decrypt Unwrap
Valid from: 2022-01-10 10:50:08 +0000 to: 2026-01-10 10:50:08 +0000, SSL trust: YES, X509 trust: YES

-----BEGIN CERTIFICATE-----
...qSt7g==
-----END CERTIFICATE-----


    Available SmartCards (token):

        com.apple.setoken:aks:

        org.opensc-project.mac.opensctoken.OpenSCTokenApp.OpenSCToken:101051712600:

          #01: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x...001}, Usage: Sign
Valid from: 2022-01-10 10:50:11 +0000 to: 2026-01-10 10:50:11 +0000, SSL trust: YES, X509 trust: YES

-----BEGIN CERTIFICATE-----
...4VuQ==
-----END CERTIFICATE-----

          #02: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x...587}, Usage: Decrypt Unwrap
Valid from: 2022-01-10 10:50:14 +0000 to: 2026-01-10 10:50:14 +0000, SSL trust: NO, X509 trust: YES

-----BEGIN CERTIFICATE-----
adfasdfa
-----END CERTIFICATE-----

          #03: Kind: private RSA 2048-bit, Certificate: {length = 20, bytes = 0x...21e}, Usage: Sign Decrypt Unwrap
Valid from: 2022-01-10 10:50:08 +0000 to: 2026-01-10 10:50:08 +0000, SSL trust: YES, X509 trust: YES

-----BEGIN CERTIFICATE-----
...gdfSt7g==
-----END CERTIFICATE-----

          #04: Certificate {length = 20, bytes = 0x...a68}
          #05: Certificate {length = 20, bytes = 0x...28a}
          #06: Certificate {length = 20, bytes = 0x...e6f}
          #07: Certificate {length = 20, bytes = 0x...9ac}

Proposed Resolution

The issue should be investigated

Steps to reproduce

Use macOS with Chrome/Safari and try to handshake TLS

Logs

TBD

[frankmorgner]

duplicate of frankmorgner/OpenSCToken#36