PacketFence - BTS - PacketFence |
View Issue Details |
|
ID | Project | Category | View Status | Date Submitted | Last Update |
0001329 | PacketFence | upstream | public | 2011-11-07 16:04 | 2012-10-19 11:29 |
|
Reporter | fgaudreault | |
Assigned To | | |
Priority | high | Severity | major | Reproducibility | random |
Status | resolved | Resolution | open | |
Platform | | OS | | OS Version | |
Product Version | | |
Target Version | 3.6.0 | Fixed in Version | | |
fixed in git revision | 927ea1da396e158bba00aca5645c5f86b3acd775 |
fixed in mtn revision | |
|
Summary | 0001329: Mac OS X 10.7+ and SSL captive portal |
Description | Some users are reporting problems with SSL captive portal access with Lion 10.7.2. It appears to be a problem with OCSP (Online Certificate Status Protocol) and CRL (revocation list). In 10.7.2, there is a security patch for Captive Portal Hijacking, and it appears to cause issue.
See:
http://superuser.com/questions/349740/mac-os-x-lion-10-7-2-update-breaks-ssl [^]
http://forums.macrumors.com/showthread.php?t=1251971 [^] |
Steps To Reproduce | |
Additional Information | Even by disabling the OCSP and CRL in keychain, users are reporting it is not fixing the problem.
We will evaluate what we can do on our side (ie. Give access to OSCP servers while in registration) |
Tags | No tags attached. |
Relationships | |
Attached Files | |
|
Issue History |
Date Modified | Username | Field | Change |
2011-11-07 16:04 | fgaudreault | New Issue | |
2011-11-07 16:04 | fgaudreault | Description Updated | |
2011-11-07 16:49 | fgaudreault | Note Added: 0002427 | |
2011-11-07 16:53 | fgaudreault | Note Edited: 0002427 | |
2011-11-11 17:03 | fgaudreault | Note Added: 0002440 | |
2012-08-27 15:47 | obilodeau | Note Added: 0002972 | |
2012-08-27 15:50 | obilodeau | Priority | normal => high |
2012-08-27 15:50 | obilodeau | Target Version | => +1 |
2012-08-28 08:44 | obilodeau | Summary | Mac OSX Lion and SSL captive portal => Mac OS X 10.7+ and SSL captive portal |
2012-08-28 08:45 | fgaudreault | Note Added: 0002973 | |
2012-09-13 11:01 | fgaudreault | Note Added: 0003061 | |
2012-09-13 11:41 | fgaudreault | Note Added: 0003063 | |
2012-09-13 12:11 | fgaudreault | Note Added: 0003064 | |
2012-09-13 12:11 | fgaudreault | git revision | => 927ea1da396e158bba00aca5645c5f86b3acd775 |
2012-09-13 12:14 | fgaudreault | Note Added: 0003065 | |
2012-10-19 11:29 | fgaudreault | Status | new => resolved |
2012-10-19 11:29 | fgaudreault | Target Version | general => 3.6.0 |
2012-10-19 11:29 | fgaudreault | Note Added: 0003132 | |
Notes |
|
(0002427)
|
fgaudreault
|
2011-11-07 16:49
(edited on: 2011-11-07 16:53) |
|
|
|
(0002440)
|
fgaudreault
|
2011-11-11 17:03
|
|
This is a dupe of #8510566. I cannot go and check the ticket backlog since Apple bug reporter is down :S |
|
|
|
I've just been bitten by this on a customer with a GoDaddy cert. Browser tries for a long time to fetch the OCSP stuff resulting in bad user experience.
Sample access_logs:
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1"
307 330 "-" "ocspd/1.0"
...
Worked around it by adding:
[trapping]
passthrough=proxy
...
[passthroughs]
cert_ocsp=http://certificates.godaddy.com/repository/gd_intermediate.crt [^]
cert_ocsp_ssl=https://certificates.godaddy.com/repository/gd_intermediate.crt [^] |
|
|
(0002973)
|
fgaudreault
|
2012-08-28 08:45
|
|
|
|
(0003061)
|
fgaudreault
|
2012-09-13 11:01
|
|
What should we do here? The bug is supposed to be fixed in > 10.7.2 and 10.8, and there is a FAQ to mitigate. I guess we can close it? |
|
|
(0003063)
|
fgaudreault
|
2012-09-13 11:41
|
|
|
|
(0003064)
|
fgaudreault
|
2012-09-13 12:11
|
|
Basic list commited in 927ea1da396e158bba00aca5645c5f86b3acd775. Added a new ocsp-crl.conf in the http.conf.d folder. |
|
|
(0003065)
|
fgaudreault
|
2012-09-13 12:14
|
|
|
|
(0003132)
|
fgaudreault
|
2012-10-19 11:29
|
|
Re-Open if this is still an issue. |
|