Re: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
Re: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- Subject: Re: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
- From: Drew <email@hidden>
- Date: Thu, 18 Dec 2008 21:24:07 -1000
- Thread-topic: [Fed-Talk] Clarification on Safari/Certs change with Mac OS X10.5.3 and beyond
I concur with Debbie. I'm running Leopard 10.5.6 on a Macbook using a SCR
331 reader. I just updated Safari to version 3.2.1 and had not been able to
access Navy NMCI OWA in the past since the 10.5.3 update was pushed. Now I
can with no problem using Safari (no joy with Firefox). Here's what I did:
1) I went into the keychain and deleted all CAC associated identity
preferences in the LOGIN keychain.
2) I then went to my CAC keychain (with CAC installed in my CAC Reader) and
selected the 1st DOD EMAIL CA certificate (2nd certificate listed on my
CAC). CTRL-click on that certificate, select Get Info.
3) Verified that the certificate had Key Usage of Digital Signature,
Non-Repudiation (not Key Encipherment) and an Extended Key Usage of
Smartcard Logon, Email Protection, and Client Authentication.
4) CTRL-Click same cert and selected New Identity Preference. Pasted the
correct URL for NMCI OWA, and clicked add. (My URL is
https://webmail.west.nmci.navy.mil/)
5) Repeated step 4, adding "exchange/" to the end of the URL.
6) QUIT Safari, restarted and went to the NMCI OWA URL listed
above.....voila! I'm prompted for my PIN and get right into webmail.
Background: I had already updated my SCR 331 to firmware 5.25 IAW "CAC for
a MAC V1.2.doc. I had given up on OWA on my new Mac and had "violated" my
MAC by running Windows XP via BOOTCAMP. Now I no longer have to reboot on
"that other OS" every time I want to OWA in.
I recommend that those having trouble verify CAC reader firmware, delete all
old keychains and start anew with their keychain. BTW, I missed step 5
above the first time and it didn't work (of course).
Best of luck and Happy Holidays!
Aloha,
Drew Peters
Kaneohe, HI
On 12/18/08 3:34 PM, "Debby Clark" <email@hidden> wrote:
> This is my first post.
>
> I have a Macbook Air and an iMac, both running Leopard. I had
> recently noticed that when Leopard went to 10.5.3, I could no longer
> do OWA. However, then I found the new instructions about upgrading
> the firmware on the SMC 331 and adjusting the keychains IAW the "CAC
> for a MAC V1.2" doc. Both now do OWA with Safari. I'm a Mac user at
> home because I need to get away from NMCI and PC garbage daily. :)
> So, I'm not an expert, but I just followed those instructions and they
> worked for me. I plug the card reader in, put the card in, launch
> Safari, and go to OWA, it asks for my pin, I put it in, and it
> works. So, I would say, check again. I was so grateful to get those
> instructions!
>
> thanks!
> Debby Clark
> China Lake, CA
>
>
> On Dec 18, 2008, at 7:39 AM, Zinnato, Ronald NAVAIR wrote:
>
>> I've piped in occasionally on this, but this is getting ridiculous.
>> I am not a security expert, and I don't understand most of what gets
>> discussed on this list. All I know is this:
>>
>> Under Tiger, I plug in my CAC reader (an SMC 331), go to Safari,
>> type in the URL for OWA, type in my PIN, and it works. Yes, I did
>> have to update the firmware on the reader... at least that much I
>> understand.
>>
>> Under Leopard, it doesn't work. I updated the firmware to 5.25, and
>> it still doesn't work. And from reading this list, I know I am not
>> the only one having problems. Many, MANY of you have been having
>> problems. And these people know a whole lot more about this stuff
>> than I do.
>>
>> If it were just confined to this community, that might be one
>> thing. But I know a few people with whom I work who have just given
>> up trying to use their mac with their CAC to access OWA. They all
>> say the same thing... "It USED to work, now it doesn't". These
>> people don't know enough to run commands in the terminal, or edit
>> files buried deep within the OS. The reason they bought a mac in
>> the first place is because things are supposed to just work. And
>> it's REALLY frustrating when something used to "just work", and now
>> it doesn't.
>>
>> My wife will probably never upgrade to Leopard or beyond because of
>> this. And I am reduced to booting into Tiger off of a USB drive
>> every time I want to work from home.
>>
>> The funny thing is, I know several people who own PC laptops, and
>> they have had no such problems.
>>
>>
>> -----Original Message-----
>> From: Shawn A. Geddis [mailto:email@hidden]
>> Sent: Wed 12/17/2008 4:16 PM
>> To: Fed Talk
>> Subject: [Fed-Talk] Clarification on Safari/Certs change with Mac OS
>> X10.5.3 and beyond
>>
>> Fed-Talk folks unhappy with 10.5.3+/Safari/Cert scenario.....
>>
>> I am quite aware that many of you are unhappy with the 10.5.3+/Safari/
>> Cert scenario, and the first point made by just about everyone is
>> "yeah, but it worked in 10.5.2 and before".
>>
>> Some may consider the following helpful and informative and others may
>> toss it aside as adding to their frustration because it doesn't do
>> what their favorite third-party product does. I hope it does help you
>> all at least understand the situation.
>>
>> Background:
>>
>> Mac OS X 10.5.2 and earlier behavior:
>> Safari 3 automatically sends the first available client certificate in
>> your keychain to the website.
>>
>> Many of you liked that process, but it was ultimately deemed to be a
>> potential vulnerability:
>>
>> CVE-2008-1580
>> http://web.nvd.nist.gov/view/vuln/search?execution=e1s2
>>
>> CVE-2008-1580
>> TA08-150A
>> Summary: CFNetwork in Safari in Apple Mac OS X before 10.5.3
>> automatically sends an SSL client certificate in response to a web
>> server's certificate request, which allows remote web sites to obtain
>> sensitive information (Subject data) from personally identifiable
>> certificates, and use arbitrary certificates to track user activities
>> across domains, a related issue to CVE-2007-4879.
>> Published: 06/02/2008
>> CVSS Severity: 4.3 (MEDIUM)
>>
>>
>> Addressing the CVE
>> Apple addressed this in the Security Update 2008-003 / Mac OS X
>> v10.5.3....
>>
>> Security Update 2008-003 / Mac OS X v10.5.3
>> http://support.apple.com/kb/HT1897
>>
>> CFNetwork
>> CVE-ID: CVE-2008-1580
>> Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
>> v10.5 through v10.5.2, Mac OS X Server v10.5 through v10.5.2
>> Impact: Visiting a maliciously crafted website may lead to the
>> disclosure of sensitive information
>> Description: An information disclosure issue exists in Safari's SSL
>> client certificate handling. When a web server issues a client
>> certificate request, the first client certificate found in the
>> keychain is automatically sent, which may lead to the disclosure of
>> the information contained in the certificate. This update addresses
>> the issue by prompting the user before sending the certificate.
>>
>>
>>
>> Client Certificate Authentication
>>
>> Safari, Mac OS X 10.5.3: Changes in client certificate authentication
>> http://support.apple.com/kb/HT1679
>>
>> Mac OS X 10.5.3 and later behavior: No client certificate is sent
>> until you have the opportunity to select the appropriate one to use
>> for that site. You will be prompted by Safari 3 to select a client
>> certificate at the point where the server requests client
>> authentication. After selecting a client certificate, the decision is
>> remembered in your keychain as an "identity preference item", and you
>> will not be prompted again when returning to the same site.
>> Note: Safari may not prompt you to select a client certificate if a
>> server is configured to optionally accept (rather than require) client
>> authentication. In this case you can force a particular client
>> certificate to be sent by creating an identity preference item for
>> that server.
>>
>>
>> Moving Forward
>> Apple resolved the identified CVE, but there still remains some ways
>> we can and are working to improve this process for everyone and not
>> just for those using a CAC within DoD.
>>
>>
>> Suggested workaround to make your life easier
>> I am suggesting the following as something that DoD folks can do right
>> now to mitigate the impact of this until a seamless solution is
>> integrated into a future release of Mac OS X / Safari.
>>
>>
>> If you or a colleague is involved with the management of any of the
>> Web Servers that are posing a challenge to users, I would like to
>> suggest a very simple step you can take to make things "Just Work"
>> right now no matter what platform you are using. I understand that
>> this is one more step, but a single step without requiring each user
>> to make an adjustment.
>>
>> Create a Virtual Host on the Server which both points to the original
>> directory as well as requires Client X.509 Certs for authentication.
>> This would work for everyone and allow for separation of PKI /
>> Password based authentication access to content -- even simplifying
>> the ultimate transition.
>>
>> There is precedence for this of course, consider
>>
>> https://www.us.army.mil/
>> and..
>> https://akocac.us.army.mil/
>>
>> - Shawn
>> _____________________________________________________
>> Shawn Geddis ? Security Consulting Engineer ? Apple Enterprise
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden