• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: SecureTransport errors
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SecureTransport errors

  • Subject: Re: SecureTransport errors
  • From: Doug Mitchell <email@hidden>
  • Date: Wed, 8 Oct 2003 07:43:37 -0700
On Monday, September 29, 2003, at 11:25 AM, Steve Kalkwarf wrote:

One of our customers is having trouble connecting to their SSL-enabled
POP servers. To make a long story short, our call to SSLHandshake() is
returning errSSLNoRootCert.

According to Mozilla, the certificate in question has a root (itself).
Its verification indicates that it is only a "Status Responder
Certificate", which if I read my RFC correctly, defers the certificate
validity test to a designated host.

Does the key manager in SecureTransport work with this style of
certificate? If not, does anybody have any suggestions?

I believe you're referring to OCSP, Online Certificate Status Protocol. This is in fact not implemented by SecureTransport (actually, it's not implemented by the Trust Policy module, upon which ST relies for its certificate validation).

When dealing with a server which is known to present such a certificate, one could call ST's SSLSetAllowsAnyRoot() function, thus avoiding the errSSLNoRootCert error status, assuming that all else is OK with the server cert.

However I believe that even with OCSP, the cert presented by the server still needs to be verifiable to a root cert. The OCSP only covers revocation, NOT basic certificate verification. So the "correct" solution is to obtain the root cert which does indeed verify the cert in question and add it to the /System/Library/Keychains/X509Anchors keychain on each host on which a SecureTransport-based client is running. Once this has been done, I believe (not with 100% assurance since I have not worked with Status Responder certs yet) that the client should work OK.

You can add root certs to the X509Anchors keychain using certtool (Jaguar and later) or by using KeychainAccess.app (Panther only).

--dpm
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Failure attempting to implement an NSPort subclass for Distributed Objects
  • Next by Date: Re: NSHost not finding additional addresses
  • Previous by thread: Re: NSHost not finding additional addresses
  • Next by thread: KernEvent not notifying IP modification?
  • Index(es):
    • Date
    • Thread