[foaf-protocols] Safari 4.01 (5530.18) ssl bugs

Joe Presbrey presbrey at gmail.com
Tue Jun 23 22:38:16 CEST 2009


I have the same experience with foaf.me login but just tested
presbrey.xvm.mit.edu with success.  See if your Safari will allow you
access to https://presbrey.xvm.mit.edu/

If it does, you may want to consider the following patch:
http://dig.csail.mit.edu/2009/mod_ssl-require_no_ca/mod_ssl-2.2.11-require_no_ca.patch

which allows you to specify:
SSLVerifyClient require_no_ca

This is how I have presbrey.xvm.mit.edu setup.

--
Joe Presbrey


On Sun, Jun 21, 2009 at 3:38 PM, Story Henry<henry.story at bblfish.net> wrote:
> After a number of upgrades, I recently ended up with Safari 4.01 on my OSX
> leopard 10.5.7 laptop. Again it seems to me that the implementation of SSL
> has not improved in this release, which again is a pitty given that user
> friendliness of the OS on the whole. These failures do make evident the
> usefulness of the OpenId hack, as a fallback position for broken browsers.
>
> It would be very helpful to get some feedback from others on this list to
> verify that this does indeed show up a bug in Safari rather than our code.
> We can then use this to help improve our bug reports to Apple and hopefully
> get this fixed quickly.
>
> I have a large number of SSL certificates in my KeyChain. One self signed
> certificate created using the manual procedure described in [1] and one
> generated using the  foafssl.net certification service.
>
> Here are some of the experiences I did:
>
> 1. If I click on the http://foaf.me/entry.php test link I immediately get a
> response stating that no certificate was detected. Safari does not ask me
> for any certificate either. foaf.me has a very complete description of how
> it is set up, which should help the engineers at Apple duplicate the
> behavior.
>
> Here are the packets going over the wire captured with Wireshark
>
>
>
>
>
> I am not yet very good at interpreting these, but I think I don't see the
> server asking for a client certificate - though this may well be encrypted.
> If you have access to the private key then you can look at the encrypted
> packets by using
>  http://wiki.wireshark.org/SSL
>
> 2. With our great Cheese Club at https://ophelia.g5n.co.uk:10443/cheese/
> I also do not get a request for a certificate, and I am also not logged in:
> the server claiming not to have received a certificate.
>
> Here are the packets going over the wire:
>
>
>
>
>
> (Because the Cheese Club is not on the default SSL port, it is helpful to
> tell Wireshark to interpret the packets as SSL ones. To do this right click
> on the packet window, and choose "Decode As..." and select SSL in the window
> that pops up).
>
> Here it is clear that the server asks for the client certificate: packet 6
> with protocol TLSv1 and Info: "Server Hello, Certificate, Certificate
> Request, Server Hello Do" that the server requests the certificate of the
> Client. Inspecting the content of packet 6 confirms this.
>
> And indeed packet 8 that follows is meant to be a certificate return packet.
> Except that it does not contain a certificate.
>
> 3. To help compare the above with what Firefox produces I decided to capture
> the http://foaf.me/entry.php packets. Firefox does ask me for the
> certificate. But I can't find out where this certificate is in the packets
> log:
>
>
>
>
>
> Perhaps they are in the message content? Any ideas?
>
> 4. So to get a clearer idea I also did the same with Firefox 3.5b4 for the
> Cheese Club, Firefox also asks me for the certificate, and as seen in packet
> 8 below, the certificate is indeed sent over the wire
>
>
>
>
>
>
>
> So it would be worth understanding in a little more detail what is happening
> on foaf.me. Clearly the certificate is sent but in a different manner.  It
> would help to have be able to compare the foaf.me and the cheese clubs
> setup.
>
> Any other comments?
>
>        Henry
>
>
> [1] http://blogs.sun.com/bblfish/entry/foaf_ssl_a_first_implementation
> [2] http://test.foaf-ssl.net/cert/
>
>
>
>
> Social Web Architect
> Sun Microsystems
> Blog: http://blogs.sun.com/bblfish
>
>
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>


More information about the foaf-protocols mailing list