Cyberduck Mountain Duck CLI

#8741 closed defect (fixed)

VeriSign Intermediate CA causing issues

Reported by: chesteap Owned by: dkocher
Priority: normal Milestone: 4.7
Component: s3 Version: 4.6.5
Severity: normal Keywords:
Cc: Architecture:
Platform: Mac OS X 10.9

Description

When I connect to S3 there is a certificate in the login keychain called 's3.amazonaws.com' and this is signed by the VeriSign G3 CA, which in turn is signed by the VeriSign G5 CA.

The problem is that there are two intermediate certificate authority certificates in the login keychain and this is stopping me from accessing web site signed by VeriSign (e.g. https://getsupport.apple.com) as it says the site's certificate is signed by an untrusted issuer.

If I remove these CA from the login keychain then I can access the sites signed by VeriSign, but the next time I run CyberDuck and access S3, the two CAs are back in my login keychain.

Do you know how to get the s3 certificate signed by the CAs in the Systems Roots keychain so I do not need the copies in the login keychan?

I have been on to Apple support, but they don't seem to be able to resolve the issue for me.

I am running OSX 10.9.5 with the latest security patches.

Change History (5)

comment:1 Changed on Apr 14, 2015 at 1:15:13 PM by dkocher

  • Milestone set to 4.7
  • Summary changed from VeriSign Intermediate CA causing issues on Mac OSX to VeriSign Intermediate CA causing issues

comment:2 in reply to: ↑ description Changed on Apr 14, 2015 at 1:23:31 PM by dkocher

Replying to chesteap:

Do you know how to get the s3 certificate signed by the CAs in the Systems Roots keychain so I do not need the copies in the login keychan?

It should be possible to drag these CA certificates to the System keychain using Keychain Access.app.

comment:3 Changed on Apr 14, 2015 at 1:25:17 PM by dkocher

During trust evaluation we add the certificate chain retrieved from the server to the login keychain. We will need to evaluate if this is actually required.

comment:4 Changed on Apr 14, 2015 at 1:38:46 PM by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

Fix in r17291.

comment:5 Changed on May 5, 2015 at 9:57:41 AM by dkocher

See also #8775 for a follow up discussion.

Note: See TracTickets for help on using tickets.
swiss made software