Safari and Chrome reporting globalsign certificate invalid, hang on attempts to view ceertificate
Reported by
j...@cloudview.com,
Oct 14 2016
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36 Steps to reproduce the problem: Issue is situational some systems show it some don't. It's not clear why. https://www.ampproject.org and https://www.firebaseapp.com/ are showing the issue right now on several machines here. What is the expected behavior? Web site loads What went wrong? NET:ERR_CERT_REVOKED Clearing the system /var/db/crls/crlcache2.db file doesn't fix it. Attempting to view the cert in chrome/safari causes a beachball of doom for ~5 mins and eventually shows the certificate dialog with the Globalsign intermediate cert marked as revoked. Did this work before? N/A Chrome version: 54.0.2840.59 Channel: stable OS Version: OS X 10.12.0 Flash Version: Shockwave Flash 23.0 r0 See also https://downloads.globalsign.com/acton/attachment/2674/f-06d2/1/-/-/-/-/globalsign-incident-report-13-oct-2016.pdf
,
Oct 17 2016
Globalsign's incident report explains why the browser correctly treated the certificate as revoked (namely, OCSP declared the intermediate certificate revoked), so there's no bug there. Mention of Safari in "Attempting to view the cert in chrome/safari causes a beachball of doom" for ~5 minutes" suggests the performance problem described may be external to Chrome. https://cs.chromium.org/chromium/src/chrome/browser/ui/certificate_viewer_mac.mm?q=certificate+sheet&sq=package:chromium&dr=C&l=107 implies that we're doing work to not revocation-check in this codepath to avoid stalling the UI. +patricialor@ as an expert on this UI.
,
Oct 17 2016
As of OS X 10.7.2, that code path is no longer able to disable revocation checking. So the issues it mentions still apply :)
,
Oct 17 2016
From a user perspective it's not clear if the hand is in the OSX keychain certificate display dialog or the browser. Either way a bad cert shouldn't cause a beachball of doom that kills the whole browser UI for all tabs.
,
Oct 17 2016
I agree, Apple should fix their APIs :)
,
Nov 30 2016
,
Dec 7 2016
,
Nov 10 2017
,
Feb 18 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmoroz@chromium.org
, Oct 17 2016Components: Security>UX Internals>Network>SSL
Owner: f...@chromium.org
Status: Available (was: Unconfirmed)