Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Previously added VeriSign intermediate certificates in Keychain causing trust errors #8775

Closed
cyberduck opened this issue Apr 28, 2015 · 3 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Apr 28, 2015

Nelson Minar created the issue

Prior to version 4.7, Cyberduck had code where it wrote some SSL certificates to the user login keychain. This behavior is documented in ticket #8741 and the code was changed to no longer do that.

However, the certificates old versions of Cyberduck wrote to the Keychain are now causing fairly serious problems with MacOS. Affected Macs can no longer verify Verisign-signed SSL certs in any application. Symptoms are the App Store refuses to load, MacOS software updates won't get installed, Chrome refuses to load websites and Safari throws errors. It's pretty bad. The problem seems to be triggered by Mavericks security update 2015-004 (released last week).

The fix is pretty simple: manually delete the spurious entries in the login keychain (so that the system entries are used instead). But users aren't going to figure that out on their own. There's no indication to the user there's a problem with their keychain or that Cyberduck was the app that created the problematic entry. I only figured it out thanks to some lucky timing and a message on the system console.

While Cyberduck 4.7 no longer causes the problem, anyone who used an older version of Cyberduck still have broken Macs. Could Cyberduck do something to notify affected users? Maybe a new version of Cyberduck that checks for the bad entries and warns the user, pointing them to a help page?

It'd also be nice to figure out exactly what entries Cyberduck might have written. For me and a bunch of other users it's two Verisign certs, one named "VeriSign Class 3 Public Primary Certification Authority – G5". They seem to have come from Amazon S3.

Some references:


Attachments

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Apr 30, 2015

@dkocher commented

Previously discussed in this AWS forum thread.

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented May 5, 2015

@dkocher commented

I tried to replicate this issue with looking at the certificate chain from s3.amazonaws.com and it looks like all intermediate certificates are now current signed with 2048bits. Therefore even when these get added to the login.keychain from versions prior to 4.7 this will no longer cause trouble.

Users affected by this issue are advised to remove the weak intermediate certificates from their login keychain.

Verisign Certificate Chain.png

@cyberduck cyberduck closed this May 5, 2015
@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Aug 24, 2015

@dkocher commented

Duplicate for #8741.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants