Previously added VeriSign intermediate certificates in Keychain causing trust errors

[cyberduck]

Nelson Minar created the issue

Prior to version 4.7, Cyberduck had code where it wrote some SSL certificates to the user login keychain. This behavior is documented in ticket #8741 and the code was changed to no longer do that.

However, the certificates old versions of Cyberduck wrote to the Keychain are now causing fairly serious problems with MacOS. Affected Macs can no longer verify Verisign-signed SSL certs in any application. Symptoms are the App Store refuses to load, MacOS software updates won't get installed, Chrome refuses to load websites and Safari throws errors. It's pretty bad. The problem seems to be triggered by Mavericks security update 2015-004 (released last week).

The fix is pretty simple: manually delete the spurious entries in the login keychain (so that the system entries are used instead). But users aren't going to figure that out on their own. There's no indication to the user there's a problem with their keychain or that Cyberduck was the app that created the problematic entry. I only figured it out thanks to some lucky timing and a message on the system console.

While Cyberduck 4.7 no longer causes the problem, anyone who used an older version of Cyberduck still have broken Macs. Could Cyberduck do something to notify affected users? Maybe a new version of Cyberduck that checks for the bad entries and warns the user, pointing them to a help page?

It'd also be nice to figure out exactly what entries Cyberduck might have written. For me and a bunch of other users it's two Verisign certs, one named "VeriSign Class 3 Public Primary Certification Authority – G5". They seem to have come from Amazon S3.

Some references:

• http://apple.stackexchange.com/questions/180570/invalid-certificate-after-security-update-2015-004-in-mavericks
• https://discussions.apple.com/thread/6984765
• VeriSign Intermediate CA causing issues #8741
• https://nelsonslog.wordpress.com/2015/04/25/mavericks-security-update-2015-004-has-a-serious-ssl-bug/

---

Attachments

• Verisign Certificate Chain.png (106.9 KiB)

[cyberduck]

@dkocher commented

Previously discussed in this AWS forum thread.

[cyberduck]

@dkocher commented

I tried to replicate this issue with looking at the certificate chain from s3.amazonaws.com and it looks like all intermediate certificates are now current signed with 2048bits. Therefore even when these get added to the login.keychain from versions prior to 4.7 this will no longer cause trouble.

Users affected by this issue are advised to remove the weak intermediate certificates from their login keychain.

[cyberduck]

@dkocher commented

Duplicate for #8741.