[Webkit-unassigned] [Bug 7417] New: Safari + SSL-Client auth: NSURLErrorSomain:-1205
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Wed Feb 22 10:19:36 PST 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=7417
Summary: Safari + SSL-Client auth: NSURLErrorSomain:-1205
Product: WebKit
Version: 417.x
Platform: Macintosh
URL: http://up.ascentmedia.com (MUST hosts file redirect to
65.125.174.105)
OS/Version: Mac OS X 10.4
Status: UNCONFIRMED
Severity: critical
Priority: P4
Component: WebKit API
AssignedTo: webkit-unassigned at opendarwin.org
ReportedBy: ken at kensystem.com
Safari (or webkit) connecting to SSL/TLS sites thta have client-certificate
authentication, fails with:
client certificate rejected: NSURLErrorSomain:-1205
The following is logged in an openssl based webserver:
SSL Failure error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca
This problem can occur if the user has one or more certs in his keystore, whos
signer/chain is not in the server's trusted list (sent during SSL handshake),
because the webkit SSL-API arbitrarily sends one of the non-trusted certs
(instead of none, or only solicted ones).
There also appears to be an absense of a cert-selection user-dialog, or setting
in Safari to NOT auto-send a client cert during handshake.
This problem occurs for almost all users who have a .Mac account and an
imported .Mac certificate.
Marking critical since this bug completely prevents all access to the site (i.e
the site cannot even suggest to the users that they attempt some workaround),
and, because there is no prescribable workaround except to un-install the
client cert or change access conmtrols in the keystore (neither are suitable
for laymen). This also seems to be a privacy issue since a cert (an
in-applicable one as in the case of a .Mac one) is being sent without user
authorization.
To view the sample URL above, a hosts-file entry must be made:
65.125.174.105 up.ascentmedia.com
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list