[foaf-protocols] Safari 4.01 (5530.18) ssl bugs

Story Henry henry.story at bblfish.net
Sun Jun 21 21:38:11 CEST 2009 

After a number of upgrades, I recently ended up with Safari 4.01 on my  
OSX leopard 10.5.7 laptop. Again it seems to me that the  
implementation of SSL has not improved in this release, which again is  
a pitty given that user friendliness of the OS on the whole. These  
failures do make evident the usefulness of the OpenId hack, as a  
fallback position for broken browsers.

It would be very helpful to get some feedback from others on this list  
to verify that this does indeed show up a bug in Safari rather than  
our code. We can then use this to help improve our bug reports to  
Apple and hopefully get this fixed quickly.

I have a large number of SSL certificates in my KeyChain. One self  
signed certificate created using the manual procedure described in [1]  
and one generated using the  foafssl.net certification service.

Here are some of the experiences I did:

1. If I click on the http://foaf.me/entry.php test link I immediately  
get a response stating that no certificate was detected. Safari does  
not ask me for any certificate either. foaf.me has a very complete  
description of how it is set up, which should help the engineers at  
Apple duplicate the behavior.

Here are the packets going over the wire captured with Wireshark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: safari3-foaf.me.simpleLogin.pcap
Type: application/octet-stream
Size: 15380 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090621/85ee0fb9/attachment-0004.obj 
-------------- next part --------------



I am not yet very good at interpreting these, but I think I don't see  
the server asking for a client certificate - though this may well be  
encrypted. If you have access to the private key then you can look at  
the encrypted packets by using
  http://wiki.wireshark.org/SSL

2. With our great Cheese Club at https://ophelia.g5n.co.uk:10443/cheese/
I also do not get a request for a certificate, and I am also not  
logged in: the server claiming not to have received a certificate.

Here are the packets going over the wire:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: safari3-cheese.club.2.pcap
Type: application/octet-stream
Size: 9992 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090621/85ee0fb9/attachment-0005.obj 
-------------- next part --------------



(Because the Cheese Club is not on the default SSL port, it is helpful  
to tell Wireshark to interpret the packets as SSL ones. To do this  
right click on the packet window, and choose "Decode As..." and select  
SSL in the window that pops up).

Here it is clear that the server asks for the client certificate:  
packet 6 with protocol TLSv1 and Info: "Server Hello, Certificate,  
Certificate Request, Server Hello Do" that the server requests the  
certificate of the Client. Inspecting the content of packet 6 confirms  
this.

And indeed packet 8 that follows is meant to be a certificate return  
packet. Except that it does not contain a certificate.

3. To help compare the above with what Firefox produces I decided to  
capture the http://foaf.me/entry.php packets. Firefox does ask me for  
the certificate. But I can't find out where this certificate is in the  
packets log:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox-foaf.me.simpleLogin.pcap
Type: application/octet-stream
Size: 24961 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090621/85ee0fb9/attachment-0006.obj 
-------------- next part --------------



Perhaps they are in the message content? Any ideas?

4. So to get a clearer idea I also did the same with Firefox 3.5b4 for  
the Cheese Club, Firefox also asks me for the certificate, and as seen  
in packet 8 below, the certificate is indeed sent over the wire

-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox-cheese.club.2.pcap
Type: application/octet-stream
Size: 33476 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090621/85ee0fb9/attachment-0007.obj 
-------------- next part --------------





So it would be worth understanding in a little more detail what is  
happening on foaf.me. Clearly the certificate is sent but in a  
different manner.  It would help to have be able to compare the  
foaf.me and the cheese clubs setup.

Any other comments?

	Henry
	

[1] http://blogs.sun.com/bblfish/entry/foaf_ssl_a_first_implementation
[2] http://test.foaf-ssl.net/cert/




Social Web Architect
Sun Microsystems		
Blog: http://blogs.sun.com/bblfish

More information about the foaf-protocols mailing list