[foaf-protocols] Safari 4.01 (5530.18) ssl bugs

Story Henry henry.story at bblfish.net
Wed Jun 24 00:13:04 CEST 2009

Thanks for this very helpful extra piece of Information Joe.

On 23 Jun 2009, at 22:38, Joe Presbrey wrote:

> I have the same experience with foaf.me login but just tested
> presbrey.xvm.mit.edu with success.  See if your Safari will allow you
> access to https://presbrey.xvm.mit.edu/

That does indeed work for Safari 4.01 for me.
Safari gives me a nice list of certificates to choose from.

I tried getting a trace of the packets in pcap format between Safari  
and presbrey.xvm.mit.edu, but I have not yet been able to get Safari  
to ask me again for the certificate. It seems to keep using the same  
certificate automatically. I will try again tomorrow, and see if it  
asks me again. (note to Apple and other browser builders: it would be  
really cool to add a way to break the SSL connection from the browser)

Oops, wait. When I try to access a different resource it asks me for  
the certificate again. Here is the packet trace for https://presbrey.xvm.mit.edu/.meta.n3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: presbrey_safari4_metan3.pcap
Type: application/octet-stream
Size: 4224 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090624/f6511628/attachment.obj 
-------------- next part --------------

It also works for the iPhone 3.0 os, but the iPhone then asks me 3  
times in succession which certificate I want to use. I select the same  
3 times, then it gives me the directory listing of which this is a trace

-------------- next part --------------
A non-text attachment was scrubbed...
Name: presbrey-iphone3.pcap
Type: application/octet-stream
Size: 2124 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090624/f6511628/attachment-0001.obj 
-------------- next part --------------

(best read with Wireshark)

> If it does, you may want to consider the following patch:
> http://dig.csail.mit.edu/2009/mod_ssl-require_no_ca/mod_ssl-2.2.11-require_no_ca.patch
> which allows you to specify:
> SSLVerifyClient require_no_ca

I suppose we need a real SSL specialist here to tell us whether this  
then is now to be thought of as a workaround for the Apple bug, or if  
the above is a fix for an SSL problem in the existing server stacks.

And is the iPhone behavior then a bug, or is the above a remaining bug  
in the SSL server stack.

Also how does one get the same behavior in Tomcat, or other Java web  

Is there some documentation for this patch?

> This is how I have presbrey.xvm.mit.edu setup.

Thanks for that very helpful feedback.

> --
> Joe Presbrey
> On Sun, Jun 21, 2009 at 3:38 PM, Story  
> Henry<henry.story at bblfish.net> wrote:
>> After a number of upgrades, I recently ended up with Safari 4.01 on  
>> my OSX
>> leopard 10.5.7 laptop. Again it seems to me that the implementation  
>> of SSL
>> has not improved in this release, which again is a pitty given that  
>> user
>> friendliness of the OS on the whole. These failures do make evident  
>> the
>> usefulness of the OpenId hack, as a fallback position for broken  
>> browsers.
>> It would be very helpful to get some feedback from others on this  
>> list to
>> verify that this does indeed show up a bug in Safari rather than  
>> our code.
>> We can then use this to help improve our bug reports to Apple and  
>> hopefully
>> get this fixed quickly.
>> [snip]

More information about the foaf-protocols mailing list