Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: 10.5.3 breaks client certs in Safari
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 10.5.3 breaks client certs in Safari

On Jun 11, 2008, at 7:09 AM, David E. Gelhar wrote:

What they didn't announce, is that on sites that accept (but do not require) SSL
client certs the user is never given an opportunity to select a cert, and no cert
is ever sent. Apparently the "pick a certificate" mechanism is activated only
when the server returns an error.

This means it is now *impossible* to have a web site use SSL client certificates
as an optional authentication mechanism (use the certificate if present, fall
back to name/password otherwise).

It's not "impossible," just inconvenient since it requires a manual configuration step for Safari users to specify the client certificate if providing one is optional. You could publish instructions to configure an identity preference for your site. Presumably this would just be an addition to whatever instructions you currently have for users to install a client certificate.

And no, manually setting an identify preference is not a viable workaround:

1) The pref matching uses the complete URL, not just the hostname, so manually
configuring them for a large site is completely infeasible

Definitely a problem in 10.5.3, yes. This has since been fixed so that an identity preference for a partial URL (e.g. ) will work for any equal or longer path on that server. Expect this (and a related fix for smartcard users) soon.

2) Even if that weren't the case, asking a 90-year-old Nobel prize winner (as
a colleague from MIT put it) to launch Keychain Access and manually type in URLs
(with no feedback on error!) is pretty much a non-starter

I'm curious how you would ask a 90-year-old Nobel prize winner to install a client certificate (in either Firefox or Keychain Access) in the first place? That process also seems like a "non-starter" if your criteria is to avoid any end-user configuration. Wouldn't they have someone (or a script) to set up their computer for them? You have a name/password login fallback, so presumably they don't have to set up anything in order to access your site if they provide their password (unless the client certificate provides more access than the password does?)

We know that having to manually set up an identity preference in Keychain Access for "optional" client authentication sites is a workaround, and having Safari prompt for a client certificate in both the "optional" and "required" cases is the zero-conf behavior we all want. But given the fix coming for (1), I don't think this workaround will be impossible to support.

I can certainly appreciate that "use Firefox" may be an expedient solution for you at this point in time. We *are* trying to get to the point where Safari will behave the same way, regardless of whether client certificate authentication is required or optional. Adding support for prompting in the former case for 10.5.3 was a first step; the second step still needs to be taken.

(Technically, Safari has a very different architecture from Firefox. It knows nothing whatsoever about SSL/TLS or how the handshake is conducted. Safari is built on top of WebKit, which is built on top of Foundation, which is built on top of CFNetwork, which is built on top of Security, which contains the Secure Transport layer functions that implement SSL. Each of those layers communicates only via the API functions it exports. In order for prompting to be supported in the "optional" client certificate case, all of those layers have to change in order to bubble the certificate request back up to Safari and have it prompt in the middle of the handshake. That's in the works; it just hasn't happened yet.)


p.s. if this (or any other) problem is affecting you and your organization, *please* file bugs to let us know. Don't be discouraged if your bug report gets closed as a duplicate; the more duplicate reports there are, the higher the original bug's priority becomes.

Has anybody else run into this problem? Any brilliant ideas on working around
it? (other than "install Firefox")

_______________________________________________ Do not post admin requests to the list. They will be ignored. Apple-cdsa mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
 >10.5.3 breaks client certs in Safari (From: email@hidden (David E. Gelhar))

Visit the Apple Store online or at retail locations.

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.