new Verisign Certs - unrecognized in OS X

Discussion in 'Mac OS X System & Mac Software' started by scruffy, Aug 10, 2006.

  1. scruffy

    scruffy Notorious Olive Counter

    Joined:
    Dec 6, 2000
    Messages:
    1,725
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Soviet Canuckistan
    Has anyone else encountered this problem?

    Apparently, Verisign has switched to new certificate scheme, as of a few months ago.

    Verisign's explanation is here: http://www.verisign.com/support/advisories/page_029264.html
    (yes, it's available as an https page as well, and if you go to that same page as https, the cert checks out.)

    Now, when I go to my work's remote login site using OS X
    https://securelogin.gov.ab.ca
    I get a certificate error (I get no error with Windows). I'm pretty technical, and I can't even figure out how to get a copy of this new Verisign certificate, signed with a key that I already do trust, to import it into my X509Anchors keychain...

    So my questions three:
    - Can someone else using a fully up-to-date OS X check whether they get this error?
    - Can someone else using a fully up-to-date OS other than Windows check for this error?
    - Has anyone encountered this same warning about the Verisign Class 3 Server Certificate elsewhere on the web?

    I see two possibilities
    - Verisign just didn't bother to get anyone but Microsoft to include their new certificates - they just don't care about the rest of the world.
    - If the site in question distributed a full certificate chain, then it could get back to something Macs trust, but they just haven't configured it to do so, because it was only tested from Windows.
     
  2. Captain Code

    Captain Code Moderator Staff Member Mod

    Joined:
    Aug 29, 2001
    Messages:
    3,113
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    Software Engineering Student
    Location:
    Ontario, Canada
    I just tried the website you linked to and my version(latest) of Safari doesn't give any error. The lock appears in the top right of the window indicating a secure connection.
     
  3. cybergoober

    cybergoober Neomaxizoomdweebie

    Joined:
    Sep 8, 2001
    Messages:
    964
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    System Admin
    Location:
    Newport News, VA, U.S. of A.
    Same here
     
  4. scruffy

    scruffy Notorious Olive Counter

    Joined:
    Dec 6, 2000
    Messages:
    1,725
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Soviet Canuckistan
    Very interesting - there's nothing in Software Update for me, and I still get the error in both Camino and Safari...

    Capt. Code, I see you're using a PPC machine. Cybergoober, do you use an Intel or PPC machine? I wonder if there might be some certs missing from Intel updates that made it into PPC ones. Doesn't seem likely, but who know...

    And, what Verisign certs are in your X509Anchors keychain?
    For me, the command

    certtool y k=/System/Library/Keychains/X509Anchors | grep VeriSign | grep Common

    gives me this output

    Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
     
  5. Captain Code

    Captain Code Moderator Staff Member Mod

    Joined:
    Aug 29, 2001
    Messages:
    3,113
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    Software Engineering Student
    Location:
    Ontario, Canada
    Here's what I get

    Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 1 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 2 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 3 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
    Common Name : VeriSign Class 4 Public Primary Certification Authority - G3
     
  6. scruffy

    scruffy Notorious Olive Counter

    Joined:
    Dec 6, 2000
    Messages:
    1,725
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Soviet Canuckistan
    Huh, curiouser and curiouser - don't see any difference from what I have.

    If I could try your patience just a bit more, would you mind trying:

    openssl s_client -connect securelogin.gov.ab.ca:443 -showcerts

    And either posting, or PMing me (it is rather verbose), the output?

    Thanks
    Mark
     
  7. Captain Code

    Captain Code Moderator Staff Member Mod

    Joined:
    Aug 29, 2001
    Messages:
    3,113
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    Software Engineering Student
    Location:
    Ontario, Canada
    Looks like openssl can't verify the cert according to the output. I've PM'd you the whole output.
     
  8. Captain Code

    Captain Code Moderator Staff Member Mod

    Joined:
    Aug 29, 2001
    Messages:
    3,113
    Likes Received:
    1
    Trophy Points:
    0
    Occupation:
    Software Engineering Student
    Location:
    Ontario, Canada
    I just tried the site again and now I'm getting a certificate error saying it was issued by an unknown certificate authority but I can still continue.
     
  9. scruffy

    scruffy Notorious Olive Counter

    Joined:
    Dec 6, 2000
    Messages:
    1,725
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Soviet Canuckistan
    Thanks for checking that for me, captain. I mentioned this to the site maintainers, so they're now aware of the problem.

    And it's good to know I haven't just reported to them something that's actually a misconfiguration with my computer...
     

Share This Page