Client certificates signed by intermediates are not considered since Sierra / 10.12
Reported by
piers.sc...@ericsson.com,
Sep 24 2016
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Example URL: Steps to reproduce the problem: 1. Have a client cert loaded into Keychain which is valid and signed by an Intermediate cert of a known and valid Root CA cert. 2. Server issues (client) Certificate Request message with list of acceptable Root CAs which includes the Root CA of the intermediate from step 1 3. Since macOS Sierra 10.12 the Client certificate will not be offered or sent. What is the expected behavior? Selection box should appear with all certs that are rooted at the CAs sent in server's Certificate Request message. This was the case up to Sierra 10.12. What went wrong? No certificates match, the box is not shown, no client cert is sent to the server. Did this work before? N/A Chrome version: 53.0.2785.116 Channel: stable OS Version: OS X 10.12.0 Flash Version: Shockwave Flash 23.0 r0 Worked fine in El Capitan 10.11 Still works as expected on Safari under Sierra 10.12. Have verified via a small test server in Go that if the /intermediate/ cert is sent as one of acceptable CAs in the Certificate Request message then the certs DIRECTLY signed by this intermediate are offered in the Chrome cert selection UI and can be sent to the server.
,
Sep 25 2016
Built from source to triage the error further.
Error is from SecPolicySetValue() via CreateSSLClientPolicy() in net/cert/x509_util_mac.cc
Looks like a client-cert complement of #647241. CreateSSLServerPolicy() has been altered for that.
However it's not clear that there's a "ServerName" to set for a Client cert.
This hack seems to "work", but I'm out of depth about the security aspects:
--- a/net/cert/x509_util_mac.cc
+++ b/net/cert/x509_util_mac.cc
@@ -56,6 +56,8 @@ OSStatus CreateSSLClientPolicy(SecPolicyRef* policy) {
memset(&tp_ssl_options, 0, sizeof(tp_ssl_options));
tp_ssl_options.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
tp_ssl_options.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
+ tp_ssl_options.ServerName = ".";
+ tp_ssl_options.ServerNameLen = 1;
return CreatePolicy(&CSSMOID_APPLE_TP_SSL, &tp_ssl_options,
sizeof(tp_ssl_options), policy);
,
Sep 26 2016
,
Sep 26 2016
Matt: Would you mind taking this on as part of Issue 647241 ? Sounds like 10.12 botched the .ServerName/.ServerNameLen aspect. Alternatively, could you explore using SecPolicyCreateSSL() and see if using that, instead of CSSMOID_APPLE_TP_SSL, if we get the same/better results?
,
Sep 27 2016
,
Sep 27 2016
Using SecPolicyCreateSSL does appear to fix this on Sierra. (Looks like it also works for the server policy.)
,
Sep 27 2016
Also seeing this issue with Chrome on Sierra.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9d33bc396faca1d6d017ed22894197e51c16d6e5 commit 9d33bc396faca1d6d017ed22894197e51c16d6e5 Author: mattm <mattm@chromium.org> Date: Wed Sep 28 19:21:22 2016 Mac: Use SecPolicyCreateSSL instead of CreatePolicy(&CSSMOID_APPLE_TP_SSL, ...) Fixes client cert selector not showing client certs that were not directly issued by the specified root(s) on Sierra. Also use SecPolicyCreateBasicX509 instead of CreatePolicy(&CSSMOID_APPLE_X509_BASIC, ...). (Should have no effect, but may be safer / more future-proof.) BUG= 649953 Review-Url: https://codereview.chromium.org/2373533003 Cr-Commit-Position: refs/heads/master@{#421598} [modify] https://crrev.com/9d33bc396faca1d6d017ed22894197e51c16d6e5/net/cert/x509_util_mac.cc
,
Sep 29 2016
piers, mhanley: Could you try canary version 55.0.2875.0 and see if it resolves the issue for you?
,
Sep 30 2016
Hi, yep, Canary 55.0.2875.0 is working for both the production use-case and my test. Thanks for the quick attention to this - any rough sense of when this might land in the mainstream Chrome release?
,
Sep 30 2016
Thanks for verifying, requesting merge to beta. (M54 probably would hit stable in a few weeks from now since M53 went stable on Aug 31.)
,
Sep 30 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8 commit 7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8 Author: Matt Mueller <mattm@chromium.org> Date: Fri Sep 30 21:01:51 2016 Mac: Use SecPolicyCreateSSL instead of CreatePolicy(&CSSMOID_APPLE_TP_SSL, ...) Fixes client cert selector not showing client certs that were not directly issued by the specified root(s) on Sierra. Also use SecPolicyCreateBasicX509 instead of CreatePolicy(&CSSMOID_APPLE_X509_BASIC, ...). (Should have no effect, but may be safer / more future-proof.) BUG= 649953 Review-Url: https://codereview.chromium.org/2373533003 Cr-Commit-Position: refs/heads/master@{#421598} (cherry picked from commit 9d33bc396faca1d6d017ed22894197e51c16d6e5) Review URL: https://codereview.chromium.org/2388503002 . Cr-Commit-Position: refs/branch-heads/2840@{#607} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8/net/cert/x509_util_mac.cc
,
Sep 30 2016
mattm: How feasible do you think it'd be to write a test for this? Alternatively, should we perhaps write up instructions for testing this manually? Seems like the sort of thing we could ask the QA folks to check when qualifying Chrome on a new macOS release. I'd written up notes previously for the Chrome on Android folks to test user-installed roots after Android N changed default behavior there.
,
Sep 30 2016
Should be possible, though it requires some platform specific work. (Need to be able to put the intermediate cert in keystore/cert DB so that the client cert filtering will find it. On mac it should be possible by using a custom keychain search list). I was planning to work on that already, just filed issue 651962 for it.
,
Oct 3 2016
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8 commit 7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8 Author: Matt Mueller <mattm@chromium.org> Date: Fri Sep 30 21:01:51 2016 Mac: Use SecPolicyCreateSSL instead of CreatePolicy(&CSSMOID_APPLE_TP_SSL, ...) Fixes client cert selector not showing client certs that were not directly issued by the specified root(s) on Sierra. Also use SecPolicyCreateBasicX509 instead of CreatePolicy(&CSSMOID_APPLE_X509_BASIC, ...). (Should have no effect, but may be safer / more future-proof.) BUG= 649953 Review-Url: https://codereview.chromium.org/2373533003 Cr-Commit-Position: refs/heads/master@{#421598} (cherry picked from commit 9d33bc396faca1d6d017ed22894197e51c16d6e5) Review URL: https://codereview.chromium.org/2388503002 . Cr-Commit-Position: refs/branch-heads/2840@{#607} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/7f6568a8aca70454edfa9c2c72c3ab2eed2b83d8/net/cert/x509_util_mac.cc |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by piers.sc...@ericsson.com
, Sep 25 2016