|
|
10.4: A fix for post-security-update WebKit SSL issues
Thanks very much for this tip.
A symptom of this is Safari and other apps (e.g. iPhoto w/ Picasa plugin) failing to work with secure signon for Google: the Mac attempts to verify the certs with http://ocsp.thawte.com (Thawte being Google's CA), which returns an error HTTP 504. Safari et al then report a failure to connect to the original server. Rgds, Ben
10.4: A fix for post-security-update WebKit SSL issues
Actually I was wrong: Thawte's OCSP is working fine (well, for at least openssl). e.g.
$ curl http://www.thawte.com/repository/Thawte_SGC_CA.crt | openssl x509 -inform DER -outform PEM > Thawte_SGC_CA.pem $ openssl s_client -connect google.com:443 -CApath /sw/etc/ssl/certs/ < /dev/null > ./google.pem $ openssl ocsp -issuer Thawte_SGC_CA.pem -CApath /sw/etc/ssl/certs/ -url http://ocsp.thawte.com -resp_text -cert ./google.pem ... ./google.pem: good ... A packet trace shows that the OCSP request made by OS X is much shorter than openssl's, and moreover Thawte are returning "unauthorized (6)" where openssl works fine. i.e. there's possibly a bug in OS X's OCSP implementation. The reason why making the OCSP check "Best Attempt" works (and "Require if Cert Indicates" fails) is simply that "unauthorized" doesn't mean the cert's invalid. Basically, OS X can't check Thawte-issued certs. Hmmm... Ben |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.10 seconds |
|