0001329: Mac OS X 10.7+ and SSL captive portal - PacketFence

Notes
(0002427) fgaudreault (viewer) 2011-11-07 16:49 edited on: 2011-11-07 16:53	Bug opened at Apple : #10407994 Track using openradar: rdar://10407994 [^]

(0002440) fgaudreault (viewer) 2011-11-11 17:03	This is a dupe of #8510566. I cannot go and check the ticket backlog since Apple bug reporter is down :S

(0002972) obilodeau (reporter) 2012-08-27 15:47	I've just been bitten by this on a customer with a GoDaddy cert. Browser tries for a long time to fetch the OCSP stuff resulting in bad user experience. Sample access_logs: 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" 10.10.0.103 - - [27/Aug/2012:09:47:06 -0400] "GET /repository/gd_intermediate.crt HTTP/1.1" 307 330 "-" "ocspd/1.0" ... Worked around it by adding: [trapping] passthrough=proxy ... [passthroughs] cert_ocsp=http://certificates.godaddy.com/repository/gd_intermediate.crt [^] cert_ocsp_ssl=https://certificates.godaddy.com/repository/gd_intermediate.crt [^]

(0002973) fgaudreault (viewer) 2012-08-28 08:45	FYI, there is also a FAQ for that: http://www.packetfence.org/support/faqs/article/ocsp-issues-on-mac-osx-while-in-registration.html?no_cache=1&cHash=53e9592aba14abe6e9e0ea1c5de40e67 [^]

(0003061) fgaudreault (viewer) 2012-09-13 11:01	What should we do here? The bug is supposed to be fixed in > 10.7.2 and 10.8, and there is a FAQ to mitigate. I guess we can close it?

(0003063) fgaudreault (viewer) 2012-09-13 11:41	To be added by default (From Rich Graves mailing list post): [trapping] passthrough=proxy [passthroughs] crlthawte=http://crl.thawte.com [^] ocspthawte=http://ocsp.thawte.com [^] crlcomodo=http://crl.comodoca.com [^] ocspcomodo=http://ocsp.comodoca.com [^] crlincommon=http://crl.incommon.org [^] ocpincommon=http://ocsp.incommon.org [^] crlusertrust=http://crl.usertrust.com [^] ocspusertrust=http://ocsp.usertrust.com [^] msrcl=http://mscrl.microsoft.com [^] crlms=http://crl.microsoft.com [^] ocspapple=http://ocsp.apple.com [^] crlgeotrust=http://crl.geotrust.com [^] ocspdigicert=http://ocsp.digicert.com [^] ocspentrust=http://ocsp.digicert.com [^] svrintlver=http://svrintl-crl.verisign.com [^] ocspverisign=http://ocsp.verisign.com [^]

(0003064) fgaudreault (viewer) 2012-09-13 12:11	Basic list commited in 927ea1da396e158bba00aca5645c5f86b3acd775. Added a new ocsp-crl.conf in the http.conf.d folder.

(0003065) fgaudreault (viewer) 2012-09-13 12:14	Mozilla provides a good list here: http://www.mozilla.org/projects/security/certs/included/ [^]

(0003132) fgaudreault (viewer) 2012-10-19 11:29	Re-Open if this is still an issue.

Issue History
Date Modified	Username	Field	Change
2011-11-07 16:04	fgaudreault	New Issue
2011-11-07 16:04	fgaudreault	Description Updated
2011-11-07 16:49	fgaudreault	Note Added: 0002427
2011-11-07 16:53	fgaudreault	Note Edited: 0002427
2011-11-11 17:03	fgaudreault	Note Added: 0002440
2012-08-27 15:47	obilodeau	Note Added: 0002972
2012-08-27 15:50	obilodeau	Priority	normal => high
2012-08-27 15:50	obilodeau	Target Version	=> +1
2012-08-28 08:44	obilodeau	Summary	Mac OSX Lion and SSL captive portal => Mac OS X 10.7+ and SSL captive portal
2012-08-28 08:45	fgaudreault	Note Added: 0002973
2012-09-13 11:01	fgaudreault	Note Added: 0003061
2012-09-13 11:41	fgaudreault	Note Added: 0003063
2012-09-13 12:11	fgaudreault	Note Added: 0003064
2012-09-13 12:11	fgaudreault	git revision	=> 927ea1da396e158bba00aca5645c5f86b3acd775
2012-09-13 12:14	fgaudreault	Note Added: 0003065
2012-10-19 11:29	fgaudreault	Status	new => resolved
2012-10-19 11:29	fgaudreault	Target Version	general => 3.6.0
2012-10-19 11:29	fgaudreault	Note Added: 0003132

Relationships