Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: A fix for post-security-update WebKit SSL issues System 10.4
The installation of the Security Update 2006-007 apparently changes the way SSL certificates are validated by WebKit-based applications. If you ever changed the certificate security policies, you may be unable to connect to SSL sites with Safari. A notable example is https://mail.google.com/mail/.

The fix is to revert to the default certificate security policy by removing the file ~/Library -> Preferences -> com.apple.security.revocation.plist.

Note that if you are not experiencing any connection problems, you do not need to perform this action!
    •    
  • Currently 2.40 / 5
  You rated: 4 / 5 (5 votes cast)
 
[12,919 views]  

10.4: A fix for post-security-update WebKit SSL issues | 5 comments | Create New Account
Click here to return to the '10.4: A fix for post-security-update WebKit SSL issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A fix for post-security-update WebKit SSL issues
Authored by: monickels on Dec 05, '06 08:45:06AM

Bingo! That fixed the problem for me. It was weird because I could visit my Google Adsense reports from Safari at home, but not in the office. Removing that file seems to have fixed it so that it works in both places now.

---
Double-Tongued Word Wrester: a growing dictionary of old and new words from the fringes of English. http://www.doubletongued.org/



[ Reply to This | # ]
10.4: A fix for post-security-update WebKit SSL issues
Authored by: pepi on Dec 05, '06 10:56:27AM

Even easier without loosing your preferences:

Go to /Applications/Utilities and open Keychain.app. In the Preferences move to the "Certificates" tab and alter the popup-menu for OCSP to read "Off" or "Require if Cert indicates" and Safari will open SSL sites again. "Best attempt" and "Require for all certs" keeps my Safari from opening secure sites.

The same problem also arises with Apple's Mail.app and SSL connections to POP, IMAP and SMTP server. Fixed that way as well.
Pepi



[ Reply to This | # ]
10.4: A fix for post-security-update WebKit SSL issues
Authored by: iDG on Dec 11, '06 05:52:04AM
OCSP to read "Off" or "Require if Cert indicates"

The only preference saved to that file is exaclty that, so you can remove it safely.
A painful removal of preference files was how I discovered what caused the problem. After I found what file was involved, and seeing what it did contain I didn't bother to track down how it was created, at first. Whan I found out, I thought that reverting to default behavior was still better than changing the setting (which proved to be a bad idea, as the "original" change ended up causing troubles).

As I said, no reason to change anything if it already works.

[ Reply to This | # ]
10.4: A fix for post-security-update WebKit SSL issues
Authored by: af3556 on Dec 06, '06 10:12:16PM
Thanks very much for this tip.

A symptom of this is Safari and other apps (e.g. iPhoto w/ Picasa plugin) failing to work with secure signon for Google: the Mac attempts to verify the certs with http://ocsp.thawte.com (Thawte being Google's CA), which returns an error HTTP 504. Safari et al then report a failure to connect to the original server.

Rgds,
Ben

[ Reply to This | # ]
10.4: A fix for post-security-update WebKit SSL issues
Authored by: af3556 on Aug 03, '07 03:40:39AM
Actually I was wrong: Thawte's OCSP is working fine (well, for at least openssl). e.g.

$ curl http://www.thawte.com/repository/Thawte_SGC_CA.crt | openssl x509 -inform DER -outform PEM > Thawte_SGC_CA.pem
$ openssl s_client -connect google.com:443 -CApath /sw/etc/ssl/certs/ < /dev/null > ./google.pem
$ openssl ocsp -issuer Thawte_SGC_CA.pem -CApath /sw/etc/ssl/certs/ -url http://ocsp.thawte.com -resp_text -cert ./google.pem
...
./google.pem: good
...

A packet trace shows that the OCSP request made by OS X is much shorter than openssl's, and moreover Thawte are returning "unauthorized (6)" where openssl works fine. i.e. there's possibly a bug in OS X's OCSP implementation.

The reason why making the OCSP check "Best Attempt" works (and "Require if Cert Indicates" fails) is simply that "unauthorized" doesn't mean the cert's invalid. Basically, OS X can't check Thawte-issued certs.

Hmmm...
Ben

[ Reply to This | # ]