Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client certificate auth seems to fail in all (Edge/Chrome/FF) browsers running in sandbox #1679

Closed
mitchcapper opened this issue Mar 11, 2022 · 2 comments
Labels
Type: Documentation Improvements or additions to documentation Workaround Temporary or alternative solution

Comments

@mitchcapper
Copy link
Contributor

mitchcapper commented Mar 11, 2022

What happened?

Visit a website that has client certificate auth, I get the prompt for a certificate on all the browsers but upon selecting it get an error like: "ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS" or FF "SEC_ERROR_PKCS11_GENERAL_ERROR".

I have the tracelog and read what I believe are the doc pages on it I am not sure if it shows the result of the request or just the request. For example

File (D) Trace (FA) I found the definition of the items in the second set of parens:

When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath.
When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath.
When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath.
When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass.
For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid.

but not sure what the D means next to file

To Reproduce

Go to: https://badssl.com/download/ download "badssl.com-client.p12" import using defaults for password it is "badssl.com"

open firefox outside of sandboxie and go to: https://client.badssl.com/ should prompt for that certificate hit OK and it should work.

Do it inside sandboxie and I see
image

Expected behavior

certificate auth to work

What is your Windows edition and version?

10.0.19042.1526 pro

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Windows defender & firewall

What version of Sandboxie are you running?

1.0.13 x64

Is it a regression?

unknown

List of affected browsers

firefox, chrome, edge

In which sandbox type you have this problem?

In a Hardened sandbox (red sandbox icon).

Is the sandboxed program also installed outside the sandbox?

Yes, it is also installed outside the sandbox.

Can you reproduce this problem on an empty sandbox?

I can confirm it also on an empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

Sandboxie-Plus.ini configuration (for Plus interface issues)

No response

@isaak654
Copy link
Collaborator

File (D) Trace (FA)

D stands for Denied and FA means you probably need to open a file path or close a file path (the relevant settings are OpenFilePath and ClosedFilePath).

In your case I would suggest OpenFilePath, but I couldn't tell without a trace log.

@mitchcapper
Copy link
Contributor Author

OpenFilePath didn't resolve but after watching procmon traces for both external and sandbox versions it was the private key access for signing failing. OpenSamEndpoint=y was the only change required to get certificate based auth fully working in both standard and enhanced protection modes.

@isaak654 isaak654 added Type: Documentation Improvements or additions to documentation HowTo Step-by-step instructions Workaround Temporary or alternative solution and removed HowTo Step-by-step instructions labels Mar 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Documentation Improvements or additions to documentation Workaround Temporary or alternative solution
Projects
None yet
Development

No branches or pull requests

2 participants