Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.4: A fix for post-security-update WebKit SSL issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: A fix for post-security-update WebKit SSL issues
Authored by: af3556 on Aug 03, '07 03:40:39AM
Actually I was wrong: Thawte's OCSP is working fine (well, for at least openssl). e.g.

$ curl | openssl x509 -inform DER -outform PEM > Thawte_SGC_CA.pem
$ openssl s_client -connect -CApath /sw/etc/ssl/certs/ < /dev/null > ./google.pem
$ openssl ocsp -issuer Thawte_SGC_CA.pem -CApath /sw/etc/ssl/certs/ -url -resp_text -cert ./google.pem
./google.pem: good

A packet trace shows that the OCSP request made by OS X is much shorter than openssl's, and moreover Thawte are returning "unauthorized (6)" where openssl works fine. i.e. there's possibly a bug in OS X's OCSP implementation.

The reason why making the OCSP check "Best Attempt" works (and "Require if Cert Indicates" fails) is simply that "unauthorized" doesn't mean the cert's invalid. Basically, OS X can't check Thawte-issued certs.


[ Reply to This | # ]