Client certificate auth seems to fail in all (Edge/Chrome/FF) browsers running in sandbox

[mitchcapper]

What happened?

Visit a website that has client certificate auth, I get the prompt for a certificate on all the browsers but upon selecting it get an error like: "ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS" or FF "SEC_ERROR_PKCS11_GENERAL_ERROR".

I have the tracelog and read what I believe are the doc pages on it I am not sure if it shows the result of the request or just the request. For example

File (D) Trace (FA) I found the definition of the items in the second set of parens:

When resource class is F, as in (FA) or (FD), the relevant settings are OpenFilePath and ClosedFilePath.
When resource class is K, as in (KA) or (KD), the relevant settings are OpenKeyPath and ClosedKeyPath.
When resource class is I, as in (IA) or (ID), the relevant settings are OpenIpcPath and ClosedIpcPath.
When resource class is G, as in (GA) or (GD), the relevant setting is OpenWinClass.
For COM objects displayed by ClsidTrace, the relevant setting is OpenClsid.

but not sure what the D means next to file

To Reproduce

Go to: https://badssl.com/download/ download "badssl.com-client.p12" import using defaults for password it is "badssl.com"

open firefox outside of sandboxie and go to: https://client.badssl.com/ should prompt for that certificate hit OK and it should work.

Do it inside sandboxie and I see

Expected behavior

certificate auth to work

What is your Windows edition and version?

10.0.19042.1526 pro

In which Windows account you have this problem?

A local or Microsoft account without special changes.

Please mention any installed security software

Windows defender & firewall

What version of Sandboxie are you running?

1.0.13 x64

Is it a regression?

unknown

List of affected browsers

firefox, chrome, edge

In which sandbox type you have this problem?

In a Hardened sandbox (red sandbox icon).

Is the sandboxed program also installed outside the sandbox?

Yes, it is also installed outside the sandbox.

Can you reproduce this problem on an empty sandbox?

I can confirm it also on an empty sandbox.

Did you previously enable some security policy settings outside Sandboxie?

No response

Crash dump

No response

Trace log

No response

Sandboxie.ini configuration

No response

Sandboxie-Plus.ini configuration (for Plus interface issues)

No response

[isaak654]

File (D) Trace (FA)

D stands for Denied and FA means you probably need to open a file path or close a file path (the relevant settings are OpenFilePath and ClosedFilePath).

In your case I would suggest OpenFilePath, but I couldn't tell without a trace log.

[mitchcapper]

OpenFilePath didn't resolve but after watching procmon traces for both external and sandbox versions it was the private key access for signing failing. OpenSamEndpoint=y was the only change required to get certificate based auth fully working in both standard and enhanced protection modes.