Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Re: CFNetwork SSL error -9844 when user has Spanish government cert
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CFNetwork SSL error -9844 when user has Spanish government cert


Jim,

The likeliest explanation is that the server in question can accept either a normal SSL connection without a client certificate, or a client certificate issued by a particular set of certificate authorities. When the Spanish certificate is present, it gets (erroneously) used, and the server rejects the connection because it doesn't accept client certificates from that issuer. We have several known bugs in the area of client certificate handling, and this sounds very much like one of them.

If you know that you don't want to do SSL client authentication, examine the kCFStreamSSLCertificates array in the kCFStreamPropertySSLSettings property, and clear it if present. That array contains client certificates, used for authenticating to the server.

One way to test this is to use Certificate Assistant, under the application menu in Keychain Access, to create your own certificate authority (e.g. "Jim's Certificate Authority"), then use it to issue yourself a test certificate (e.g. "Jim Matthews"). Make sure to import your "Jim's Certificate Authority" root to X509Anchors, so it is trusted on your system. With the "Jim Matthews" certificate and private key available in your keychain, connect to the server and see if you get rejected as well. If that's the case, does kCFStreamSSLCertificates contain that certificate?

-ken


On Dec 15, 2006, at 3:05 PM, Jim Matthews wrote:

I have a user who reports a -9844 error (errSSLConnectionRefused) connecting to a certain server, but only when connecting from OS X user accounts that have a certificate issued by the Spanish government in the Keychain.

The CFNetwork code in question is not trying to do SSL client authentication; it is setting the SSL options as follows:

kCFStreamSSLLevel: kCFStreamSocketSecurityLevelNegotiatedSSL
kCFStreamSSLAllowsExpiredCertificates: kCFBooleanTrue
kCFStreamSSLAllowsExpiredRoots: kCFBooleanTrue
kCFStreamSSLValidatesCertificateChain: kCFBooleanFalse
kCFStreamSSLAllowsAnyRoot: kCFBooleanTrue
kCFStreamSSLPeerName: kCFNull
kCFStreamSSLIsServer: kCFBooleanFalse

The cert was obtained from

http://www.cert.fnmt.es/index.php?cha=cit&sec=obtain_cert

The user is running 10.4.8 on Intel hardware.

I haven't been able to figure out why the presence of this cert should affect an SSL client connection (and since I don't have the cert myself, I can't reproduce the problem on my machines).

Any suggestions?

Thanks,
--
Jim Matthews
Fetch Softworks
http://fetchsoftworks.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden




_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden







References: 


 >CFNetwork SSL error -9844 when user has Spanish government cert (From: Jim Matthews <email@hidden>)























Visit the Apple Store online or at retail locations.

1-800-MY-APPLE


Contact Apple | Terms of Use | Privacy Policy


Copyright © 2011 Apple Inc. All rights reserved.