RE: [Fed-Talk] CAC SSL error
RE: [Fed-Talk] CAC SSL error
- Subject: RE: [Fed-Talk] CAC SSL error
- From: "Arendt Christopher D 1st Lt AFIT/ENS" <email@hidden>
- Date: Tue, 10 Feb 2009 05:02:40 -0500
- Thread-topic: [Fed-Talk] CAC SSL error
Unfortunately, enabling the Trust Path made no difference. I'm still getting the same errors and messages (reproduced below):
Does anybody have any idea what the error messages mean?
Safari error message:
Safari can't open the page "<URL here>" because it couldn't establish a secure connection to the server "<server address here>".
Console log:
Jan 30 11:51:04 christopher-arendts-macbook-pro /Applications/Safari.app/Contents/MacOS/Safari[141]: preferred identity: "LAST.FIRST.MIDDLE.1234567890" found for "<URL here>"
Jan 30 11:51:04 christopher-arendts-macbook-pro /Applications/Safari.app/Contents/MacOS/Safari[141]: lookup complete; will use: "LAST.FIRST.MIDDLE.1234567890" for "<URL here>"
Jan 30 11:51:04 christopher-arendts-macbook-pro securityd[19]: securityd(19,0xa035e720) malloc: *** error for object 0x358000: pointer being freed was not allocated\n*** set a breakpoint in malloc_error_break to debug
Jan 30 11:51:04 christopher-arendts-macbook-pro com.apple.SecurityServer[19]: securityd(19,0xa035e720) malloc: *** error for object 0x358000: pointer being freed was not allocated
Jan 30 11:51:04 christopher-arendts-macbook-pro com.apple.SecurityServer[19]: *** set a breakpoint in malloc_error_break to debug
-----Original Message-----
From: Miller, Timothy J. [mailto:email@hidden]
Sent: Friday, January 30, 2009 9:42 AM
To: Arendt Christopher D 1st Lt AFIT/ENS; email@hidden
Subject: Re: [Fed-Talk] CAC SSL error
On 1/29/09 11:57 PM, "Arendt Christopher D 1st Lt AFIT/ENS"
<email@hidden> wrote:
> When I try to visit the address, Safari shows the server certificate, says it
> can¹t verify the identity of the server and asks if I still want to continue.
Yes, but does it say why? You may have gaps in your trust chain; there are
new DoD CAs (19 & 20) online that Apple may not have pushed yet. You can
install these yourself.
> I click ³continue² and I¹m prompted for my PIN.
>
> But when I enter the PIN, the reader light flashes a few times, then Safari
> says it couldn¹t establish a secure connection to the server.
What we need to know is the actual error. Does anything show up in the log
(run Console)?
-- Tim
-----Original Message-----
From: Shawn A. Geddis [mailto:email@hidden]
Sent: Fri 1/30/2009 10:23 AM
To: Arendt Christopher D 1st Lt AFIT/ENS
Cc: Fed Talk; Timothy J Miller
Subject: Re: [Fed-Talk] CAC SSL error
On Jan 30, 2009, at 9:41 AM, Miller, Timothy J. wrote:
> On 1/29/09 11:57 PM, "Arendt Christopher D 1st Lt AFIT/ENS"
> <email@hidden> wrote:
>> When I try to visit the address, Safari shows the server
>> certificate, says it
>> can¹t verify the identity of the server and asks if I still want to
>> continue.
>
> Yes, but does it say why? You may have gaps in your trust chain;
> there are
> new DoD CAs (19 & 20) online that Apple may not have pushed yet.
> You can
> install these yourself.
Apple includes all of the DoD intermediates all the way up to and
including CA-20
Add the following Keychain in Keychain Access
via Keyboard: <shift><command><A>
via Menu: File > Add Keychain...
Select the following file:
/System/Library/Keychains/SystemCACertificates.keychain
>> I click ³continue² and I¹m prompted for my PIN.
>>
>> But when I enter the PIN, the reader light flashes a few times,
>> then Safari
>> says it couldn¹t establish a secure connection to the server.
Enabling the Trust Path (via enabling the pre-populated keychain
containing DoD Intermediates) as noted above should correct your
problem, but you can also specifically Trust a Certificate (Leaf,
Intermediate, Root) even though you may not have the complete chain
locally available. This is a reference to the ability to define the
"Trust Anchor" at the point of desire/choice.
- Shawn
________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Enterprise Division email@hidden
11921 Freedom Drive, Suite 600, Reston VA 20190-5634
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden