Cyberduck Mountain Duck CLI

#8775 closed defect (worksforme)

Previously added VeriSign intermediate certificates in Keychain causing trust errors

Reported by: Nelson Minar Owned by: dkocher
Priority: normal Milestone: 4.7
Component: s3 Version: 4.7
Severity: normal Keywords:
Cc: Architecture:
Platform:

Description (last modified by dkocher)

Prior to version 4.7, Cyberduck had code where it wrote some SSL certificates to the user login keychain. This behavior is documented in ticket #8741 and the code was changed to no longer do that.

However, the certificates old versions of Cyberduck wrote to the Keychain are now causing fairly serious problems with MacOS. Affected Macs can no longer verify Verisign-signed SSL certs in any application. Symptoms are the App Store refuses to load, MacOS software updates won't get installed, Chrome refuses to load websites and Safari throws errors. It's pretty bad. The problem seems to be triggered by Mavericks security update 2015-004 (released last week).

The fix is pretty simple: manually delete the spurious entries in the login keychain (so that the system entries are used instead). But users aren't going to figure that out on their own. There's no indication to the user there's a problem with their keychain or that Cyberduck was the app that created the problematic entry. I only figured it out thanks to some lucky timing and a message on the system console.

While Cyberduck 4.7 no longer causes the problem, anyone who used an older version of Cyberduck still have broken Macs. Could Cyberduck do something to notify affected users? Maybe a new version of Cyberduck that checks for the bad entries and warns the user, pointing them to a help page?

It'd also be nice to figure out exactly what entries Cyberduck might have written. For me and a bunch of other users it's two Verisign certs, one named "VeriSign Class 3 Public Primary Certification Authority – G5". They seem to have come from Amazon S3.

Some references:

Attachments (1)

Verisign Certificate Chain.png (106.9 KB) - added by dkocher on May 5, 2015 at 9:55:47 AM.

Download all attachments as: .zip

Change History (6)

comment:1 Changed on Apr 30, 2015 at 7:32:34 AM by dkocher

Previously discussed in this AWS forum thread.

comment:2 Changed on May 5, 2015 at 9:41:09 AM by dkocher

  • Description modified (diff)

comment:3 Changed on May 5, 2015 at 9:57:26 AM by dkocher

I tried to replicate this issue with looking at the certificate chain from s3.amazonaws.com and it looks like all intermediate certificates are now current signed with 2048bits. Therefore even when these get added to the login.keychain from versions prior to 4.7 this will no longer cause trouble.

Users affected by this issue are advised to remove the weak intermediate certificates from their login keychain.

comment:4 Changed on May 5, 2015 at 9:57:57 AM by dkocher

  • Milestone set to 4.8
  • Resolution set to worksforme
  • Status changed from new to closed

comment:5 Changed on Aug 24, 2015 at 8:35:38 AM by dkocher

  • Milestone changed from 4.7.1 to 4.7

Duplicate for #8741.

Note: See TracTickets for help on using tickets.
swiss made software