eid isn't working on Chrome and Safari

[Ivan Eulaers]

My eid is working perfectly when using Firefox. But I've never managed to get it working with Chrome and Safari.

When I go to test.eid.belgium.be I got the following error:

• Chrome: SSL connection error / ERR_SSL_PROTOCOL_ERROR
• Safari: Safari can't open the page "https://test.eid.belgium.be" because Safari can't establish a secure connection to the server "test.eid.beglium.be".

However, all my colleagues who are working with the same hardware and software, don't have a problem using Chrome or Safari.

I'm using OS X Yosemit versio 10.10.3 and I reinstalled eID-Quickinstaller-4.0.7-7804-signed_tcm227-262904.dmg.

Do you know what can be wrong?

Ivan

[Frederik Vernelen]

Hello,

Is our middleware the only smart card related software you installed?

As other packages like the OS Forge tokend might not work with 10 year valid cards.

(check /System/Library/Security/tokend/ -> only tokend there should be BEID.tokend, not BELPIC.tokend)

Did you install e.g. the acr driver package after you installed the middleware?

In that case, please reinstall the middleware, as thee has been a driver package that did also run the opensc.autostart package (and that change pcsc behaviour of you mac (in a way it won't launch anymore on Yosemite))

Do you see "BELPIC" in your "Keychain Access "(its in applications/Utilities) application when your beid card is inserted?

Wkr,

 Frederik

--
Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.
Als je je wilt afmelden bij deze groep en geen e-mails van de groep meer wilt ontvangen, stuur je een e-mail naar eid-mw+un...@googlegroups.com.
Als je een bericht in deze groep wilt plaatsen, stuur je een e-mail naar eid...@googlegroups.com.
Bezoek deze groep op http://groups.google.com/group/eid-mw.
Ga naar https://groups.google.com/d/optout voor meer opties.

[Frederik Vernelen]

Another issue to take into account when using safari, is that it remembers your certificate choice.
So if you once mistakenly tried to authenticate on a government site when your signature certificate, it will keep on using that certificate to log on to that site (which will fail)
In order to reset the certificate choice:
-) enter your eID card
-) open applications/utilities/Keychain access.
In keychain access, select keychain 'login' (the list of keychains is on the left)
On the right, you wil get a list of certificates, keys and preferences. you're interested in the identity preferences
search for the url of the site (e.g. https://test.eid.belgium.be) under name and double-click on it.
you should now be able to select your prefered certificate (select your authentication certificate).
-) An alternative for double clicking on that url, is right-clicking (ctrl-clink) on it and deleting it.

[Ivan Eulaers]

I've reset the Keychain to default.

When I try to open https://test.eid.belgium.be in Safari I have to select my Authentication or Signature certificate (this is new - so one step further).

I select my Authentication and enter my pin number, but then I get

The website "test.eid.belgium.be" did not accept the certificate "unknown".

[Ivan Eulaers]

In /System/Library/Security/tokend/ I have BEID.tokend and a folder uiplugins with BELPICViewerPlugin.bundle, CACViewerPlugin.bundle, PIViewerPlugin.bundle

In Keychain Access I have the following keychains:
- BEID-534...
- login
- Local Items
- System
- System Roots

My other colleagues have the same keychains but they have a working eid in Safari and Chrome.

[Frederik Vernelen]

Hello Ivan,

your keychain and tokend look ok indeed.

your certificate does not

"The website "test.eid.belgium.be" did not accept the certificate "unknown"."

I checked with our service desk, and they have had cases with this error message before.

It seems to be caused by the certificate settings in the keychain:

When your authentication certificate is set to "always trust", this error appears. (probably safari then thinks the certificate is a trusted root, and sends only the auth certificate towards test.eid.belgium.be, instead of the entire certificate chain.)

How to change this setting:

-) open keychain manager (Applications/Utiliies)

-) enter your eID card, so its certificates appear in the keychain manager

-) double click on your authentication certificate

-) expand the "Trust" tab

-) change the trust setting "When using this certificate" from "Always trust" to "Use System Defaults"

Wkr,

 Frederik

[Ivan Eulaers]

Frederik,

Thanks a lot for your reply. By following your instructions, I managed to get it working in Chrome.  

Safari still shows the error "Safari can't open the page. Safari can't open the page "https://test.eid.belgium.be" because Safari can't establish a secure connection to the server "test.eid.belgium.be". 

Regards

Ivan

[Frederik Vernelen]

You're welcome,

I'm glad it works with Chrome already.

Does Safari works with other https sites? (bank sites, webmail,..)

I found some possible solutions on other fora:
https://discussions.apple.com/thread/6431361

"Turns out it was my mac antivirus that was causing the "Safari can't Establish a secure connection". All website are working after i disable the Web Shield in my antivirus setting. "

This is something we see on all OS's.

Anti virus and anti malware programs that are performing a MITM attack in order to read https traffic, and by doing so, often messing up the secure authention.

so in case you have anti-virus software running,  if you could try disabling (a part of) your anti-virus software?

Wkr,

 Frederik

--

Je hebt dit bericht ontvangen omdat je bent geabonneerd op de groep "eID Middleware" van Google Discussiegroepen.