Client SSL Authentication

[mokerhamer]

I have tested it, Client SSL Certificates doesn't work properly when using XULRunnner.

When adding any kind of browser to SEB it works immediately. Xulrunner seems to have issues with Client SSL Authentication Certificate. We have installed the full chain.

After installing all Certificate, the CA wont show in the CA drop down menu. Is their anyway to fetch Debug Logs regarding the SSL Authentication? So i can post them.

If their is any update regarding it, please notify me. Beside the sources of the Test client aren't available to run it in debugger mode (Visual Basic)

[eqsoft]

Hi Munier, thank you for testing and reporting! I am using the new browser engine in a linux based client with client authentication certs and it works fine, i did not try the windows SEB with client certs, but it points out that it can not be a basic problem with xulrunner. Maybe you can give me some more information about your version and configuration? And what did you mean with "When adding any kind of browser to SEB it works immediately" ? How did you replace the browser engine in SEB? regards, Stefan

[mokerhamer]

I've included IE/Mozilla/Chrome as a application, it worked fine. Received a popup to select the correct certificate when browsing to the URL. It doesn't work with the default included Xullrunner Mozilla. May i solve the bug? I cant find the beta sources. Would be nice to contribute.

Regarding the configuration: *Installed client certificate as exportable, and included it as identity in the configuration. Installed full chain, but not available in any options menu so i couldn't add them in the configuration. Receiving a 403.7 Error (client certificate was not found or selected).

Windows 10 home, up to date.

regards,

[pawy]

Did you try it with seb 2.2 too? There we switched the browser enginge from xulrunner to firefox.

[mokerhamer]

I did use the 2.2 testing client windows variant.

[pawy]

The "Beta Sources" are in Branch 2.2_merged :) https://github.com/SafeExamBrowser/seb-win/tree/2.2_merged

If you find a bug and a solution we would appreciate your contribution. I am working on v 2.1.4 bugfix release and therefore the issues for 2.2 are not top priority at the moment.

Thanks

[mokerhamer]

@pawy i think i found it (converting certificate to PEM), but i need a more detailed debugger (SSL Handshake, etc). Can u help me with setting up a detailed debugger?

[pawy]

You can debug into the code with Visual Studio. Just run SEB in Debug Mode. Also set "none" for Kiosk-Mode in the Security-Tab of the config-tool.

[mokerhamer]

Having issues running it through VB, but you have confirmed my initial thought. Thank you :)

[danschlet]

You wrote "I've included IE/Mozilla/Chrome as a application, it worked fine. Received a popup to select the correct certificate when browsing to the URL. "

This is not how embedded certificates should work in SEB! If the certificate shows a pop up in another browser that means it's not the correct certificate for that server URL, it fails some part of validation (URL/port doesn't match common/alternative paths exactly, CA chain is not correct or certificate is expired). Certificate embedding in SEB should increase security by providing the exact (100% correct) certificate for the exam server and NOT letting exam users override a faulty certificate. So you should provide the correct certificate in the first place!

You can nevertheless override certificate validation by embedding a "debug" type certificate in SEB 2.2 (Windows) or SEB 2.1.1 or higher for macOS. You can add a different domain name and port to the common/alternative name fields of the certificate by changing the name of the certificate in the list of embedded certificates in Network/Certificate settings.

[danschlet]

You cannot debug things like the SSL handshake and other network related stuff in the .NET SEB code, as this is happening completely inside the SEB Windows browser. There is some JavaScript code which handles this, check it out at https://github.com/eqsoft/seb2. I guess that can be debugged too, but that the developer of our SEB Windows browser component, eqsoft can answer.

[mokerhamer]

Thank you guys! i got it partially working (With usage of eqsoft certdb manager). At this moment: It only seems to work when "Master Password" is enabled :)

Got it working! I need to manually add the certificates to the .db files in the profile. Embedding the identity through the Seb Config does not work in my case. (It works not even tough the identity is not shown in the drop down menu anymore!) using @eqsoft cert manager that can be found in the link above.