Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
- Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
- From: VaibhaV Sharma <email@hidden>
- Date: Thu, 23 Jul 2015 20:38:45 +0000
- Thread-topic: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Thanks for your quick response.
That is correct. I enabled “Search directory services” checkbox and traced packets on the network. There seems to be a ldap query and response on the wire which includes the cert but keychain does not consume the cert properly.
All the code seems to be in there and also the nice looking documentation. Just that it does not work. Sorry if I sound like I am venting but I have spent a lot of time debugging this and just frustrating to see this being a lingering issue.
This one fix will enable so much for so many users out there. We have resorted to a php based web page that people can use to search AD from their devices and fetch certs to be installed locally. On Mac OS, it might be possible to pre-fetch all the certs using a script and dump them in keychain but on iOS, that is not an option.
—
VaibhaV
> On Jul 23, 2015, at 1:27 PM, Rowe, Walter <email@hidden> wrote:
>
> It does not work at the moment. You have to set the Keychain Preferences to "Search directory services for certificate”. Even with this set, it doesn’t work. I have tested 10.11 and posted my test results to the Apple Developer Forum. If you are a registered developer you can read about it there. This has been discussed a number of times. In my humble opinion this is not an Apple Mail issue. This is a Keychain Services issue since Apple Mail simply asks the Keychain for a cert, and Keychain is responsible for searching the directory if it doesn’t have a cert in the local keystore.
> --
> Walter Rowe, Application Hosting
> Infrastructure Services / OISM / NIST
> US Department of Commerce
> Email: email@hidden
> Office: 301.975.2885
>
>> On Jul 23, 2015, at 4:17 PM, VaibhaV Sharma <email@hidden> wrote:
>>
>> Referring to an old thread from last year -
>>
>> http://lists.apple.com/archives/fed-talk/2014/Mar/msg00012.html
>>
>> Also this -
>> https://support.apple.com/en-us/HT202345
>>
>> specifically where it says -
>> (3) Mail consults the GAL to discover the recipient's S/MIME certificate.
>>
>>
>> Is anyone able to get this working? I have tried several methods unsuccessfully, including -
>>
>> * Updating user’s cert from Outlook 20xx trust center
>> * Updating userCertificate / userSMIMECertificate from AD user properties or manually
>> * Joining the Mac desktop client to the windows domain and using keychain to lookup GAL / Ldap
>>
>> Apple mail on iOS devices spins its wheel looking for the recipient’s cert but comes back without success. Keychain on Mac OS attempts to make an LDAP call, gets the result but is not successful in consuming the cert. I even filed a ticker on this with Apple but no response yet after almost a year. I have sent multiple detailed analysis emails to our Apple account team and they have had no luck getting this figured out.
>>
>> The other issue I found with Mail on Mac OS is that if an outgoing encrypted email has multiple recipients and attachments, it sometimes gets stuck with 100+% cpu for about a minute before it returns to normal. I used XCode / Instruments to trace system calls and it seems to be one of the encryption routines that it gets stuck on.
>>
>> Any clues or further updates?
>>
>> Thanks,
>>
>> —
>> VaibhaV Sharma
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden