PacketFence - BTS - PacketFence
View Issue Details
0001329PacketFenceupstreampublic2011-11-07 16:042012-10-19 11:29
fgaudreault 
 
highmajorrandom
resolvedopen 
 
3.6.0 
927ea1da396e158bba00aca5645c5f86b3acd775
0001329: Mac OS X 10.7+ and SSL captive portal
Some users are reporting problems with SSL captive portal access with Lion 10.7.2. It appears to be a problem with OCSP (Online Certificate Status Protocol) and CRL (revocation list). In 10.7.2, there is a security patch for Captive Portal Hijacking, and it appears to cause issue.

See:
http://superuser.com/questions/349740/mac-os-x-lion-10-7-2-update-breaks-ssl [^]
http://forums.macrumors.com/showthread.php?t=1251971 [^]
Even by disabling the OCSP and CRL in keychain, users are reporting it is not fixing the problem.

We will evaluate what we can do on our side (ie. Give access to OSCP servers while in registration)
No tags attached.
Issue History
2011-11-07 16:04fgaudreaultNew Issue
2011-11-07 16:04fgaudreaultDescription Updated
2011-11-07 16:49fgaudreaultNote Added: 0002427
2011-11-07 16:53fgaudreaultNote Edited: 0002427
2011-11-11 17:03fgaudreaultNote Added: 0002440
2012-08-27 15:47obilodeauNote Added: 0002972
2012-08-27 15:50obilodeauPrioritynormal => high
2012-08-27 15:50obilodeauTarget Version => +1
2012-08-28 08:44obilodeauSummaryMac OSX Lion and SSL captive portal => Mac OS X 10.7+ and SSL captive portal
2012-08-28 08:45fgaudreaultNote Added: 0002973
2012-09-13 11:01fgaudreaultNote Added: 0003061
2012-09-13 11:41fgaudreaultNote Added: 0003063
2012-09-13 12:11fgaudreaultNote Added: 0003064
2012-09-13 12:11fgaudreaultgit revision => 927ea1da396e158bba00aca5645c5f86b3acd775
2012-09-13 12:14fgaudreaultNote Added: 0003065
2012-10-19 11:29fgaudreaultStatusnew => resolved
2012-10-19 11:29fgaudreaultTarget Versiongeneral => 3.6.0
2012-10-19 11:29fgaudreaultNote Added: 0003132

Notes
(0002427)
fgaudreault   
2011-11-07 16:49   
(edited on: 2011-11-07 16:53)
Bug opened at Apple :
#10407994

Track using openradar:
rdar://10407994 [^]

(0002440)
fgaudreault   
2011-11-11 17:03   
This is a dupe of #8510566. I cannot go and check the ticket backlog since Apple bug reporter is down :S
(0002972)
obilodeau   
2012-08-27 15:47   
I've just been bitten by this on a customer with a GoDaddy cert. Browser tries for a long time to fetch the OCSP stuff resulting in bad user experience.

Sample access_logs:

10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 
307 330 "-" "ocspd/1.0"
...


Worked around it by adding:

[trapping]
passthrough=proxy
...

[passthroughs]
cert_ocsp=http://certificates.godaddy.com/repository/gd_intermediate.crt [^]
cert_ocsp_ssl=https://certificates.godaddy.com/repository/gd_intermediate.crt [^]
(0002973)
fgaudreault   
2012-08-28 08:45   
FYI, there is also a FAQ for that:
http://www.packetfence.org/support/faqs/article/ocsp-issues-on-mac-osx-while-in-registration.html?no_cache=1&cHash=53e9592aba14abe6e9e0ea1c5de40e67 [^]
(0003061)
fgaudreault   
2012-09-13 11:01   
What should we do here? The bug is supposed to be fixed in > 10.7.2 and 10.8, and there is a FAQ to mitigate. I guess we can close it?
(0003063)
fgaudreault   
2012-09-13 11:41   
To be added by default (From Rich Graves mailing list post):

[trapping]
passthrough=proxy

[passthroughs]
crlthawte=http://crl.thawte.com [^]
ocspthawte=http://ocsp.thawte.com [^]
crlcomodo=http://crl.comodoca.com [^]
ocspcomodo=http://ocsp.comodoca.com [^]
crlincommon=http://crl.incommon.org [^]
ocpincommon=http://ocsp.incommon.org [^]
crlusertrust=http://crl.usertrust.com [^]
ocspusertrust=http://ocsp.usertrust.com [^]
msrcl=http://mscrl.microsoft.com [^]
crlms=http://crl.microsoft.com [^]
ocspapple=http://ocsp.apple.com [^]
crlgeotrust=http://crl.geotrust.com [^]
ocspdigicert=http://ocsp.digicert.com [^]
ocspentrust=http://ocsp.digicert.com [^]
svrintlver=http://svrintl-crl.verisign.com [^]
ocspverisign=http://ocsp.verisign.com [^]
(0003064)
fgaudreault   
2012-09-13 12:11   
Basic list commited in 927ea1da396e158bba00aca5645c5f86b3acd775. Added a new ocsp-crl.conf in the http.conf.d folder.
(0003065)
fgaudreault   
2012-09-13 12:14   
Mozilla provides a good list here:
http://www.mozilla.org/projects/security/certs/included/ [^]
(0003132)
fgaudreault   
2012-10-19 11:29   
Re-Open if this is still an issue.