[Webkit-unassigned] [Bug 7417] New: Safari + SSL-Client auth: NSURLErrorSomain:-1205

bugzilla-daemon at opendarwin.org bugzilla-daemon at opendarwin.org
Wed Feb 22 10:19:36 PST 2006 

http://bugzilla.opendarwin.org/show_bug.cgi?id=7417

           Summary: Safari + SSL-Client auth: NSURLErrorSomain:-1205
           Product: WebKit
           Version: 417.x
          Platform: Macintosh
               URL: http://up.ascentmedia.com (MUST hosts file redirect to
                    65.125.174.105)
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: critical
          Priority: P4
         Component: WebKit API
        AssignedTo: webkit-unassigned at opendarwin.org
        ReportedBy: ken at kensystem.com


Safari (or webkit) connecting to SSL/TLS sites thta have client-certificate
authentication, fails with:

  client certificate rejected: NSURLErrorSomain:-1205

The following is logged in an openssl based webserver:

  SSL Failure error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca

This problem can occur if the user has one or more certs in his keystore, whos
signer/chain is not in the server's trusted list (sent during SSL handshake),
because the webkit SSL-API arbitrarily sends one of the non-trusted certs
(instead of none, or only solicted ones).

There also appears to be an absense of a cert-selection user-dialog, or setting
in Safari to NOT auto-send a client cert during handshake.

This problem occurs for almost all users who have a .Mac account and an
imported .Mac certificate.

Marking critical since this bug completely prevents all access to the site (i.e
the site cannot even suggest to the users that they attempt some workaround),
and, because there is no prescribable workaround except to un-install the
client cert or change access conmtrols in the keystore (neither are suitable
for laymen). This also seems to be a privacy issue since a cert (an
in-applicable one as in the case of a .Mac one) is being sent without user
authorization.

To view the sample URL above, a hosts-file entry must be made:

65.125.174.105 up.ascentmedia.com


-- 
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list