Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
- Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
- From: "Rowe, Walter" <email@hidden>
- Date: Thu, 23 Jul 2015 20:45:04 +0000
- Bl2pr09mb0145: X-MS-Exchange-Organization-RulesExecuted
- Thread-topic: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
The correct cert also has to be in the GAL. It has to be the cipher key. If you have a way to inspect certs that are in your GAL in the userCertificate attribute, they have tags that indicate their purpose. Digital Signature certs won’t work. They have to be
cipher certs.
--
Walter Rowe, Application Hosting
Infrastructure Services / OISM / NIST
US Department of Commerce
Email: email@hidden
Office: 301.975.2885
On Jul 23, 2015, at 4:38 PM, VaibhaV Sharma < email@hidden> wrote:
Thanks
for your quick response.
That
is correct. I enabled “Search directory services” checkbox and traced packets on the network. There seems to be a ldap query and response on the wire which includes the cert but keychain does not consume the cert properly.
All
the code seems to be in there and also the nice looking documentation. Just that it does not work. Sorry if I sound like I am venting but I have spent a lot of time debugging this and just frustrating to see this being a lingering issue.
This
one fix will enable so much for so many users out there. We have resorted to a php based web page that people can use to search AD from their devices and fetch certs to be installed locally. On Mac OS, it might be possible to pre-fetch all the certs using
a script and dump them in keychain but on iOS, that is not an option.
—
VaibhaV
On Jul 23, 2015, at 1:27 PM, Rowe, Walter <email@hidden> wrote:
It does not work at the moment. You have to set the Keychain Preferences to "Search directory services for certificate”. Even with this set, it doesn’t work. I have tested 10.11 and posted my test results to the Apple Developer Forum. If you are a registered
developer you can read about it there. This has been discussed a number of times. In my humble opinion this is not an Apple Mail issue. This is a Keychain Services issue since Apple Mail simply asks the Keychain for a cert, and Keychain is responsible for
searching the directory if it doesn’t have a cert in the local keystore.
--
Walter Rowe, Application Hosting
Infrastructure Services / OISM / NIST
US Department of Commerce
Email: email@hidden
Office: 301.975.2885
On Jul 23, 2015, at 4:17 PM, VaibhaV Sharma <email@hidden> wrote:
Referring to an old thread from last year -
http://lists.apple.com/archives/fed-talk/2014/Mar/msg00012.html
Also this -
https://support.apple.com/en-us/HT202345
specifically where it says -
(3) Mail consults the GAL to discover the recipient's S/MIME certificate.
Is anyone able to get this working? I have tried several methods unsuccessfully, including -
* Updating user’s cert from Outlook 20xx trust center
* Updating userCertificate / userSMIMECertificate from AD user properties or manually
* Joining the Mac desktop client to the windows domain and using keychain to lookup GAL / Ldap
Apple mail on iOS devices spins its wheel looking for the recipient’s cert but comes back without success. Keychain on Mac OS attempts to make an LDAP call, gets the result but is not successful in consuming the cert. I even filed a ticker on this with Apple
but no response yet after almost a year. I have sent multiple detailed analysis emails to our Apple account team and they have had no luck getting this figured out.
The other issue I found with Mail on Mac OS is that if an outgoing encrypted email has multiple recipients and attachments, it sometimes gets stuck with 100+% cpu for about a minute before it returns to normal. I used XCode / Instruments to trace system calls
and it seems to be one of the encryption routines that it gets stuck on.
Any clues or further updates?
Thanks,
—
VaibhaV Sharma
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do
not post admin requests to the list. They will be ignored.
Fed-talk
mailing list (email@hidden)
Help/Unsubscribe/Update
your Subscription:
This
email sent to email@hidden
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden