[Cyberduck-trac] [Cyberduck] #8775: Previously added VeriSign intermediate certificates in Keychain causing trust errors

Cyberduck trac at trac.cyberduck.io
Tue May 5 09:41:11 UTC 2015 

#8775: Previously added VeriSign intermediate certificates in Keychain causing
trust errors
--------------------------+------------------------
 Reporter:  Nelson Minar  |         Owner:  dkocher
     Type:  defect        |        Status:  new
 Priority:  normal        |     Milestone:
Component:  s3            |       Version:  4.7
 Severity:  normal        |    Resolution:
 Keywords:                |  Architecture:
 Platform:                |
--------------------------+------------------------
Description changed by dkocher:

Old description:

> Prior to version 4.7, Cyberduck had code where it wrote some SSL
> certificates to the user login keychain. This behavior is documented in
> ticket #8741 and the code was changed to no longer do that.
>
> However, the certificates old versions of Cyberduck wrote to the Keychain
> are now causing fairly serious problems with MacOS. Affected Macs can no
> longer verify Verisign-signed SSL certs in any application. Symptoms are
> the App Store refuses to load, MacOS software updates won't get
> installed, Chrome refuses to load websites and Safari throws errors. It's
> pretty bad. The problem seems to be triggered by Mavericks security
> update 2015-004 (released last week).
>
> The fix is pretty simple: manually delete the spurious entries in the
> login keychain (so that the system entries are used instead). But users
> aren't going to figure that out on their own. There's no indication to
> the user there's a problem with their keychain or that Cyberduck was the
> app that created the problematic entry. I only figured it out thanks to
> some lucky timing and a message on the system console.
>
> While Cyberduck 4.7 no longer causes the problem, anyone who used an
> older version of Cyberduck still have broken Macs. Could Cyberduck do
> something to notify affected users? Maybe a new version of Cyberduck that
> checks for the bad entries and warns the user, pointing them to a help
> page?
>
> It'd also be nice to figure out exactly what entries Cyberduck might have
> written. For me and a bunch of other users it's two Verisign certs, one
> named "VeriSign Class 3 Public Primary Certification Authority – G5".
> They seem to have come from Amazon S3.
>
> Some references:
>
>  * http://apple.stackexchange.com/questions/180570/invalid-certificate-
> after-security-update-2015-004-in-mavericks
>  * https://discussions.apple.com/thread/6984765
>  * https://trac.cyberduck.io/ticket/8741
>  * https://nelsonslog.wordpress.com/2015/04/25/mavericks-security-
> update-2015-004-has-a-serious-ssl-bug/

New description:

 Prior to version 4.7, Cyberduck had code where it wrote some SSL
 certificates to the user login keychain. This behavior is documented in
 ticket #8741 and the code was changed to no longer do that.

 However, the certificates old versions of Cyberduck wrote to the Keychain
 are now causing fairly serious problems with MacOS. Affected Macs can no
 longer verify Verisign-signed SSL certs in any application. Symptoms are
 the App Store refuses to load, MacOS software updates won't get installed,
 Chrome refuses to load websites and Safari throws errors. It's pretty bad.
 The problem seems to be triggered by Mavericks security update 2015-004
 (released last week).

 The fix is pretty simple: manually delete the spurious entries in the
 login keychain (so that the system entries are used instead). But users
 aren't going to figure that out on their own. There's no indication to the
 user there's a problem with their keychain or that Cyberduck was the app
 that created the problematic entry. I only figured it out thanks to some
 lucky timing and a message on the system console.

 While Cyberduck 4.7 no longer causes the problem, anyone who used an older
 version of Cyberduck still have broken Macs. Could Cyberduck do something
 to notify affected users? Maybe a new version of Cyberduck that checks for
 the bad entries and warns the user, pointing them to a help page?

 It'd also be nice to figure out exactly what entries Cyberduck might have
 written. For me and a bunch of other users it's two Verisign certs, one
 named "VeriSign Class 3 Public Primary Certification Authority – G5". They
 seem to have come from Amazon S3.

 Some references:

  * http://apple.stackexchange.com/questions/180570/invalid-certificate-
 after-security-update-2015-004-in-mavericks
  * https://discussions.apple.com/thread/6984765
  * #8741
  * https://nelsonslog.wordpress.com/2015/04/25/mavericks-security-
 update-2015-004-has-a-serious-ssl-bug/

--

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8775#comment:2>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list