Option to disable NSURLErrorSomain:-1205? (Safari bug with SSL-client-auth)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Option to disable NSURLErrorSomain:-1205? (Safari bug with SSL-client-auth)

Ken Johanson-3
Apple/Safari browsers (all current versions) have a bug where if they attempt to connect to a SSL client-authenticated website, and have client certs in their keystore whos signers/chain is not solicited during SSL handshake.. then Safari may send the unsolicited cert anyway.


This is a problem even for sites that have 'SSLVerifyClient optional' or 'SSLVerifyClient optional_no_ca' configured;

The message displayed by Safari is:

client certificate rejected: NSURLErrorSomain:-1205

The message logged in the openssl based webserver is:

SSL Failure error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca

My questions is, is/should it be possible (and isn't it innocuous) for the web server to configure the openssl library to NOT send that error back or drop the connection, in the case where client-auth is optional? If so, what API functions would be used? (I will not make the change myself; I would forward this info to the specific web server vendor, though I can attest that this also is an issue for Apache sites + Safari)

Thanks very much in advance,
ken
Reply | Threaded
Open this post in threaded view
|

Re: Option to disable NSURLErrorSomain:-1205? (Safari bug with SSL-client-auth)

Victor Duchovni
On Wed, Feb 22, 2006 at 11:52:11AM -0700, Ken Johanson wrote:

> Apple/Safari browsers (all current versions) have a bug where if they
> attempt to connect to a SSL client-authenticated website, and have
> client certs in their keystore whos signers/chain is not solicited
> during SSL handshake.. then Safari may send the unsolicited cert
> anyway.

Most SMTP clients send client certificates even when the signing CA is
not solicited. The Postfix SMTP server does not complain if the client
certificate verification fails. The key issue is coding the server-side
verification callback correctly, so that the session is not rejected
despite the unverifiable client certificate.


From the bottom of tls_verify_certificate_callback():

    /*
     * Never fail in case of opportunistic mode.
     */
    if (TLScontext->enforce_verify_errors)
        return (ok);
    else
        return (1);

Normally "enforce_verify_errors" is not set.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Option to disable NSURLErrorSomain:-1205? (Safari bug with SSL-client-auth)

Ken Johanson-3
Most SMTP clients send client certificates even when the signing CA is
not solicited. The Postfix SMTP server does not complain if the client
certificate verification fails. The key issue is coding the server-side
verification callback correctly, so that the session is not rejected
despite the unverifiable client certificate.


Thanks Victor!!!! That advise proved invaluable for the one product 
vendor that I use... at some point I'll try and report this a bug on
Apache's behalf, since it also has the issue (the 2.x versions that I
tested)..

Again, many thanks!!!

ken