SSL Client certificates added to Keychain don't become available to Chrome without restart
Reported by
ccass...@duosecurity.com,
May 1 2018
|
||
Issue description
Chrome Version: 66.0.3359.139
OS Version: OS X 10.13.4
We've seen this issue on many versions of Chrome and MacOS, but the versions listed should be adequate to reproduce.
What steps will reproduce the problem?
Two similar scenarios, both demonstrating similar behavior.
Brand new certificate:
1. Launch Chrome
2. Set AutoSelectCertificateForUrls policy for Chrome, add Client Certificate to Keychain, along with CA certs and private key.
3. Visit a site requiring the client certificate. No certificate is presented.
4. Restart Chrome
5. Visit same site, certificate is presented.
Replaced certificate:
1. Set AutoSelectCertificateForUrls policy for Chrome, add Client Certificate to Keychain, along with CA certs and private key. Client certificate expires 1 week from the time of issue
2. Launch Chrome, visit site that requires that certificate. Everything works.
3. Wait ~ 4 days without restarting Chrome or restarting machine
4. At this point, about 3 days before the certificate expires, the original certificate is deleted from the Keychain and replaced with a new one with identical Common name, etc., expiring a week later.
5. Visit the site requiring the certificate, everything works
6. Wait another 3 days without restarting Chrome
7. Visit the site requiring the certificate, no certificate is presented by Chrome.
8. Restart Chrome
9. Visit same site, certificate is presented.
What is the expected result?
Without restarting, Chrome would find the new certificate in the Keychain and present it.
What happens instead of that?
In each scenario, no certificate is presented until restarting Chrome.
Please provide any additional information below. Attach a screenshot if
possible.
AutoSelectCertificateForUrls is set in /Library/Preferences/com.google.Chrome.plist and has an item {"pattern":"https://[*.]<domain>/<path>","filter":{}}
The client certificate, CAs certs and private key reside in a dedicated keychain separate from the login keychain.
UserAgentString: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
,
May 1 2018
How are you installing your client cert? We presently only listen for events such as the list of keychains is changed (kSecKeychainListChangedEvent) or the list of trust settings has changed (kSecTrustSettingsChangedEvent). These are done as best effort - for various reasons, the only 'supported' way of changing client certificates - particularly involving resetting previous decisions - is to do a process restart. This is sufficient to handle the smart-card case, and was done because other events (namely, kSecAddEvent / kSecDeleteEvent / kSecUpdateEvent) are far too noisy to be used in their default state. We've evaluated in the past determining if the effective available set of client certificates for a given connection changes, to revisit that, but we've intentionally decided previously not to do that, as we've seen as much negative consequence as positive benefits. You can work around this behaviour by handling removing and inserting the keychain. Does that work as an acceptable solution?
,
May 4 2018
We use the security command to add client certs to the keychain. We're investigating whether removing/adding a keychain is a viable workaround. Thanks for that suggestion!
,
May 4 2018
For posterity, the issues with kSecAddEvent per Ryan (mistakes in transcription are mine) are: - If pid != self, item and keychain don't get set, so we can't filter out non-certificate keychain events - The change events fire really often, on per item, so we'd have to debounce it a bit.
,
May 4 2018
Thanks David for encouraging me to be less hand-wavy :) Correct that the issues in the past were involving it being too noisy. David rightfully pointed out that you can filter events (so as to exclude password change events, for example), but sequences such as locking/unlocking your machine, or accessing passwords in a browser (when the browsers still sync'd directly into the device keychain) could create spurious events. Because of the pid filtering issue (and mind you, this was ~macOS 10.5), we couldn't filter out the reason why. It's fully possible that this has changed in the macOS 10.9+ world that Chrome supports. It's also a known-issue/intentional-(ish) behaviour that we don't even look for change events on Windows or Linux. On Windows, we'd have to setup hEvent monitoring, and on Linux, we'd need to spawn a dedicated thread-per-slot (and manage reaping threads) in order to do the wait for slot events. I threw the macOS change monitoring in because it was low-cost and (unlike the other platforms) didn't require the dedicated thread blocking. There's possibilities that this will improve in the future, but I wanted to see about offering workarounds in the event such work is triaged as low priority :)
,
May 17 2018
Hi, We have got the same problem on macOS High Sierra. New inserted Keychain SSL certifiates become available to Chrome ONLY WHEN Chrome is RESTARTED.
,
May 17 2018
re Comment #6: Can you please describe how you are 'inserting Keychain SSL certificates' to see whether or not this is the known issue?
,
May 17 2018
Hi, We don't actually insert the smartcard certificates. Instead, certificates are read by a TokenD-based service we have developed. It is the system that finally propagates these data to KeyChain database.
,
May 17 2018
Also, I must mention that the problem does not occur in macOS Sierra (10.12) platform, only the Hign Sierra is affected. |
||
►
Sign in to add a comment |
||
Comment 1 by dtapu...@chromium.org
, May 1 2018