Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: A fix for post-security-update WebKit SSL issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A fix for post-security-update WebKit SSL issues
Authored by: af3556 on Dec 06, '06 10:12:16PM
Thanks very much for this tip.

A symptom of this is Safari and other apps (e.g. iPhoto w/ Picasa plugin) failing to work with secure signon for Google: the Mac attempts to verify the certs with http://ocsp.thawte.com (Thawte being Google's CA), which returns an error HTTP 504. Safari et al then report a failure to connect to the original server.

Rgds,
Ben

[ Reply to This | # ]
10.4: A fix for post-security-update WebKit SSL issues
Authored by: af3556 on Aug 03, '07 03:40:39AM
Actually I was wrong: Thawte's OCSP is working fine (well, for at least openssl). e.g.

$ curl http://www.thawte.com/repository/Thawte_SGC_CA.crt | openssl x509 -inform DER -outform PEM > Thawte_SGC_CA.pem
$ openssl s_client -connect google.com:443 -CApath /sw/etc/ssl/certs/ < /dev/null > ./google.pem
$ openssl ocsp -issuer Thawte_SGC_CA.pem -CApath /sw/etc/ssl/certs/ -url http://ocsp.thawte.com -resp_text -cert ./google.pem
...
./google.pem: good
...

A packet trace shows that the OCSP request made by OS X is much shorter than openssl's, and moreover Thawte are returning "unauthorized (6)" where openssl works fine. i.e. there's possibly a bug in OS X's OCSP implementation.

The reason why making the OCSP check "Best Attempt" works (and "Require if Cert Indicates" fails) is simply that "unauthorized" doesn't mean the cert's invalid. Basically, OS X can't check Thawte-issued certs.

Hmmm...
Ben

[ Reply to This | # ]