I'm trying to implement smartcard login on my website. I have NodeJS and my own CA to generate the client cert.
Everything works when the cert is imported in the cert store on the client PC, I can authenticate with that setup. When I try to use the same cert imported into a V3 smartcard:
The browser IS able to get the cert
TLS shows the following, the communications and this error occur maybe 5 times between when I load the page and enter the card pin (fatal but communication restarts afterwards with ClientHello):
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ChangeCipherSpec (20)
Length = 1
Received Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 25
Inner Content Type = Handshake (22)
Certificate, Length=4
context (len=0):
certificate_list, length=0
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = ApplicationData (23)
Length = 19
Inner Content Type = Alert (21)
Level=fatal(2), description=unknown(116)
TLS eventually shows user cert + issuer cert are sent to the server:
Inner Content Type = Handshake (22)
Certificate
BUT directly after that, client sends Level=fatal(2), description=handshake failure(40)
So why does client send handshake failure, just after it sent over the certs?? I am pretty sure certs are fine locally, this succeeds:
openssl s_client -connect website.com:443 -prexit -cert usercert.pem -key userkey.pem -CAfile fullchain.pem -pass pass:12345
Finally the answer was to disable TLSv1.3...V3 applet cards (as opposed to MD cards) don't support some cipher suite from TLSv1.3. I haven't checked which in any detail.