Professional Web Applications Themes

Safari won't recognize ISP certificate - Mac Applications & Software

I switched from Netscape 7 to Safari when I moved to OSX. It sees a number of sites that gave me trouble on Netscape, but the tradeoff is that it won't give me access to my ISP's web-based email service. I think this is a problem related to something called self-assigned certificates, which Safari rejects. I read about a workaround on one of Apple's forums but it was highly technical and some people in the forum recommended against it. Am I stuck with this? Right now, I have to boot Netscape to get access to the web site. -- ca...

  1. #1

    Default Safari won't recognize ISP certificate

    I switched from Netscape 7 to Safari when I moved to OSX. It sees a
    number of sites that gave me trouble on Netscape, but the tradeoff is
    that it won't give me access to my ISP's web-based email service. I
    think this is a problem related to something called self-assigned
    certificates, which Safari rejects.
    I read about a workaround on one of Apple's forums but it was
    highly technical and some people in the forum recommended against it. Am
    I stuck with this? Right now, I have to boot Netscape to get access to
    the web site.

    --
    ca
    dotlyc Guest

  2. #2

    Default Re: Safari won't recognize ISP certificate

    In article <VOc2b.2406$bellglobal.com>,
    dotlyc <ca> wrote:
     

    I don't know what the workaround you read was, but the one I've been
    using is to enable Safari's "debug" menu. You just quit Safari and do
    this at the command line:

    defaults write com.apple.Safari IncludeDebugMenu 1

    ....and then run Safari again. There'll be a new menu called "Debug"
    which has some security options at the bottom. Using these options
    should take care of the problem.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

  3. #3

    Default Re: Safari won't recognize ISP certificate

    In article <bidkr3$7u9cc$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     
    >
    > I'm using self-signed certs on several of our company's support sites,
    > and it works fine. Have you upgraded your safari lately? Just
    > pops up a warning, I say "Yeah, go ahead".[/ref]

    Hmm. I get the warning too, but when I click the "continue" button,
    it just pops up again and again until I quit.
    Did you do something with the debug menu, as recommended by Tom
    Harrington?
    I have Safari 1.0 (v85) which I just downloaded about a week or so
    ago when I first started using OSX. I'll check to see if there's a newer
    version.

    --
    ca
    dotlyc Guest

  4. #4

    Default Re: Safari won't recognize ISP certificate

    In article <Dxr2b.760$bellglobal.com>,
    dotlyc <ca> wrote:
     
    > >
    > > I don't know what the workaround you read was, but the one I've been
    > > using is to enable Safari's "debug" menu.[/ref]
    >
    > Yes, I think that's what was being recommended, although you've
    > described it much more succinctly than the reports I read. As I said,
    > there were other people on the forum who recommended against doing this
    > because they said it reduces security on Safari. I suppose, since
    > Netscape was giving these things a pass, it was no safer.[/ref]

    Well, yeah. What it comes down to is that Safari is stricter about what
    it'll accept, from a security standpoint. But you can cause it to be
    less strict if you find this inconvenient.

    The deal with self-assigned security certificates is as follows:

    When you visit a secure web site, two things are supposed to happen to
    make it secure. One is that data is encrypted between you and the
    server. This works the same, regardless of browser or whether you alter
    Safari's settings.

    The other is that their security certificate validates that they
    actually are who they claim to be, i.e. that the site you're visiting is
    not someone else impersonating the site you thought you were visiting.
    This is managed by requiring people who want such certificates to get
    one from a trusted source-- so essentially the trusted source promises
    you that you're talking to the right person. But that costs money, and
    certificates expire, so some people may choose to "self-sign" it, which
    basically means _they_ promise you that they are who they claim to be.
    But they could be an impersonator with a forged certificate, you have no
    way to be certain. So Safari normally refuses to accept these. I
    thought that Netscape's normal behavior was to warn you about this but
    let you continue if you wanted, but I haven't used it in a while.

    Making Safari more lax affects the identity checks, but does not affect
    in-transit encryption.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 1.4: Best cleanup yet, gets files other tools miss.
    See http://www.atomicbird.com/
    Tom Guest

  5. #5

    Default Re: Safari won't recognize ISP certificate

    On Sun, 24 Aug 2003 18:32:07 -0400, dotlyc <ca> wrote: 

    I'm using self-signed certs on several of our company's support sites,
    and it works fine. Have you upgraded your safari lately? Just
    pops up a warning, I say "Yeah, go ahead".

    Dave Hinz
     
    Dave Guest

  6. #6

    Default Re: Safari won't recognize ISP certificate

    In article <bidqpb$8brie$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     

    Well, sir, I salute you. You worked a miracle. I added the
    certificate in IE, switched to Safari and voila -- I can get onto the
    web email site.
    Thanks so much.
    I don't suppose you can tell me *why* this worked. I quit IE before
    firing up Safari again, so why would a preference set in IE affect
    Safari? Or did this change some universal "internet config" file (or
    whatever it's called in OSX)?

    --
    ca
    dotlyc Guest

  7. #7

    Default Re: Safari won't recognize ISP certificate

    On Mon, 25 Aug 2003 13:33:50 -0400, dotlyc <ca> wrote: 
    >
    > Hmm. I get the warning too, but when I click the "continue" button,
    > it just pops up again and again until I quit.
    > Did you do something with the debug menu, as recommended by Tom
    > Harrington?[/ref]

    I'm not sure. I know that I re-downloaded it a week or two ago, upgrading
    to v85 as you mention. I don't remember doing anything special to get it
    to work, but I've been doing massive reconfigurations to my in-house network
    in the last week or three, so it's not likely I'd remember any details.
    My home network could be described either as "complicated" or as
    "Freaking insanely complicated", depending on if you're feeling charitable
    or not.
     

    I don't think there is - does it give you an option to "add certificate", or
    am I thinking of a lesser-browser? Actually, fire up IE, tell it to add
    the cert, and see if that fixes Safari, that might have been it.

    Dave Hinz

    Dave Guest

  8. #8

    Default Re: Safari won't recognize ISP certificate

    In article <bie1tr$8c6k7$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     

    Sorry to say this, but I'm back to square one for reasons that
    completely elude me. I had things working in both IE and Safari. Then I
    decided to quit Safari and reboot it without IE running to see what
    happened. Bad move. Safari is now rejecting the site again.
    I went back into IE and reset the certificates again, but this time
    Safari refused to come on board. I tried entering three different URLs
    into IE's "trusted site" certificate window. (I should mention that my
    ISP's email web page appears to be seriously ed up -- it keeps
    reloading pages, redirecting you to other pages and opening new windows,
    all with different URLs. I entered them all as trusted sites, but no go.)
    As a workaround, I can just use IE, which is now accepting the
    site, but I'm really baffled how I got Safari to work once and now no
    more. I'll keep trying to recreate whatever I did the first time.

    --
    ca
    dotlyc Guest

  9. #9

    Default Re: Safari won't recognize ISP certificate

    On Mon, 25 Aug 2003 16:53:06 -0400, dotlyc <ca> wrote:
     

    As will I, but I can't get Safari to fail in the manner you describe right
    now. Odd. Anyone know if SSL cert handling is in a known-bug for
    Safari?

    Dave Hinz

    Dave Guest

  10. #10

    Default Re: Safari won't recognize ISP certificate

    On Mon, 25 Aug 2003 23:39:29 -0400, dotlyc <ca> wrote: 
    >
    > This is a head-scratcher. After I sent my last message, I put the
    > machine to sleep for several hours and have just fired it up again. I've
    > changed *nothing* since this afternoon when Safari was not working with
    > the web email site.[/ref]

    What's your system clock set to? Is it off by, say, 15 minutes?

    Dave "Grasping at plausible straws" Hinz

    Dave Guest

  11. #11

    Default Re: Safari won't recognize ISP certificate

    In article <bifuhm$8uqr9$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     
    > >
    > > This is a head-scratcher. After I sent my last message, I put the
    > > machine to sleep for several hours and have just fired it up again. I've
    > > changed *nothing* since this afternoon when Safari was not working with
    > > the web email site.[/ref]
    >
    > What's your system clock set to? Is it off by, say, 15 minutes?[/ref]

    No, the clock is fine. I just woke up the iBook for the first time
    since last night and Safari is now spontaneously rejecting the certs
    again. Again, no change to anything since it *was* working. I can only
    conclude that success depends on which side of the bed Safari wakes up
    in.
    IE continues to work and that's fine. I don't need to access this
    web site to get my mail, just to make certain changes to the account and
    I do that rarely. I can fire up IE when I need to do it.
    I was just looking for an OSX workaround because I only have the
    OS9 version of Netscape installed and I didn't want to install the OSX
    version just for this.
    I'll continue to try it out on Safari just for the entertainment
    value. It would be nice to be able to figure out this odd behaviour,
    however.

    --
    ca
    dotlyc Guest

  12. #12

    Default Re: Safari won't recognize ISP certificate

    In article <260820031142519004%net>,
    Pickles <net> wrote:
     

    Thanks for this information. I'll save it for future reference, but
    for the time being, I'm just going to use IE for the rare times I have
    to access my account through the web site. I don't need it to send and
    receive email, which the Mail app does fine. (In another message, I've
    explained how Safari seems to randomly accept and reject the cert, so
    sometimes I can even use Safari.)
    I'm very new to OSX (less than two weeks in) and I don't feel I
    know what I'm doing well enough to play around with Terminal commands
    just yet.
    Thanks for your help.

    --
    ca
    dotlyc Guest

  13. #13

    Default Re: Safari won't recognize ISP certificate

    In article <bifuhm$8uqr9$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     
    > >
    > > This is a head-scratcher. After I sent my last message, I put the
    > > machine to sleep for several hours and have just fired it up again. I've
    > > changed *nothing* since this afternoon when Safari was not working with
    > > the web email site.[/ref]
    >
    > What's your system clock set to? Is it off by, say, 15 minutes?
    >
    > Dave "Grasping at plausible straws" Hinz
    >[/ref]

    Okay, I think I've figured out a pattern. Safari is working now --
    after I launched IE. It appears that whatever IE does to make Safari
    work doesn't survive sleep and I have to reboot IE to get Safari back on
    board.
    This kind of defeats the effort, since I might as well use IE if I
    have to launch it anyway. But that's fine -- I have it set to the web
    page by default so it comes up right away.
    You seem to somehow have convinced your system to remember this
    trick through sleep but I can't figure out how to do it.

    --
    ca
    dotlyc Guest

  14. #14

    Default Re: Safari won't recognize ISP certificate

    I can see 2 main reasons why Safari would reject your ISP's
    certificate. One is that the server name doesn't match the name on the
    certificate. For example, a certificate may be issued to
    "secure.isp.com" but you're trying to get to https://www.isp.com.
    There's nothing you can do about that; Safari will (and should) always
    complain the first time you visit the site. (You should be able to
    have it accept the cert after the first try.)

    The other possbility (probably more likely) is that Safari doesn't
    recognize your ISP's CA, or Certifying Authority, certificate. This
    happens with self-signed certificates, where the ISP doesn't want to
    pay Verisign or some equally evil company lots of money every year just
    to say, "yes, this ISP is who they say they are."

    The problem is that only the big-name CAs (Verisign, Thawte, etc) are
    trusted by your system right out of the box. If you get the CA
    certificate from your ISP, you can add it to OS X as a trusted
    certificate, and then all of the compliant apps (such as Safari and
    Mail) will be able to use it. Here's what you do:

    1. Get a copy of the CA certificate
    2. Copy the systemwide keychain file with the trusted CA certs into
    your local Keychains dir:
    cp /System/Library/Keychains/X509Anchors ~/Library/Keychains/
    3. Use certtool to import the CA certificate into that file:
    certtool i cacert.pem k=X509Anchors (where cacert.pem is the name of
    the CA certificate in PEM format)
    4. Move the new file back to the systemwide library folder, so all
    users can access it:
    sudo mv ~/Library/Keychains/X509Anchors /System/Library/Keychains/


    if the CA certificate only comes in DER format (common if it has a .cer
    extension), add a "d" onto the end of the command in step 3:
    certtool i cacert.cer k=X509Anchors d

    Good luck!

    Pickles Guest

  15. #15

    Default Re: Safari won't recognize ISP certificate

    On Tue, 26 Aug 2003 14:25:41 -0400, dotlyc <ca> wrote: 
    (snip) 

    If it was a desktop, I'd say "don't put it to sleep". So, you seeem
    to have narrowed it to "Safari doesn't maintain self-signed cert
    acceptance settings through a system sleep", yes? If so, I'll
    see if I can reproduce it, then check the bugs database for Safari and
    report it if it's not already in there.

    Dave Hinz

    Dave Guest

  16. #16

    Default Re: Safari won't recognize ISP certificate

    In article <bigiov$9av67$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     
    > (snip) 
    >
    > If it was a desktop, I'd say "don't put it to sleep". So, you seeem
    > to have narrowed it to "Safari doesn't maintain self-signed cert
    > acceptance settings through a system sleep", yes? If so, I'll
    > see if I can reproduce it, then check the bugs database for Safari and
    > report it if it's not already in there.[/ref]

    Well, I have not been able to te a consistent pattern. I
    thought I'd figured out this was a wake-from-sleep issue, but now I
    don't know. Tonight I tried every permuation I could think of and have
    come to the conclusion that whether Safari recognizes the cert is
    completely random.
    Tonight it was off again when I woke the iBook from sleep and no
    matter what I did with IE, Safari would not co-operate. So I started
    doing other web surfing and came back to it about 10 minutes later and
    it was working. I didn't do anything in between related to IE or the
    particular web site.
    Thinking back, I realize this has happened before -- in both
    directions. If this is a bug, it's certainly an inventive one.

    --
    ca
    dotlyc Guest

  17. #17

    Default Re: Safari won't recognize ISP certificate

    On Wed, 27 Aug 2003 00:07:29 -0400, dotlyc <ca> wrote: [/ref]
     
     

    OK, let's look outside the browser. Do you connect to the internet
    through a proxy for browsing? Can you bypass that? I wonder if they
    don't have two different proxies or two different webservers for the
    webmail site, one of which is acting differently than the other. If
    things are changing and you're not doing it, then logic would indicate
    that the changes are outside of your control.

    Can you do a "view cert" when it's not working?

    Dave

    Dave Guest

  18. #18

    Default Re: Safari won't recognize ISP certificate

    On Wed, 27 Aug 2003 18:07:32 -0400, dotlyc <ca> wrote: 

    It'd be in Safari -> preferences -> advanced.
     

    That's probably not it.
     

    Redirects do strange things to https:// sessioning. Can you point
    directly to the site they redirect to, and bypass their band-aid?
     

    Heh. It frustrates me when I see crappy websites, especially
    e-commerce ones. I suppose I'm more sensitive to it because that's
    what I do during the day...but, for example, travelocity.com. What
    day do I want? Not sure, give me a freaking "click here to see a
    calendar" button guys, eh? What is the date of 3 weeks from next
    friday? I don't know either...that sort of thing.
     
    >
    > I don't know how to do this. I can't find anything about
    > certificates under the View menu and the Apple help files were
    > not...well...helpful. If you tell me how to do it, I'll take a look.[/ref]

    I'm not at my mac right now (OK, I'm logged into it, but remotely, and,
    well, nevermind. Not relevant.)
     

    I've got a friend at Apple who I've been discussing this with, he'll
    enter it into the internal bug database for Safari if I can give him
    a headline and a procedure to reproduce the error. Helping Apple is as
    good of a way to spend spare time than any, and better than others
    I could think of. Kind of my open-source "it needs doing" kind of
    background showing, but if Apple is willing to take the feedback, I'm
    glad to give it.

    Dave Hinz



    Dave Guest

  19. #19

    Default Re: Safari won't recognize ISP certificate

    In article <bijm7g$a24tc$news.uni-berlin.de>,
    Dave Hinz <net> wrote:
     
    >
    > It'd be in Safari -> preferences -> advanced.[/ref]

    Nothing in any of the boxes. The "Use passive FTP mode" box is
    checked.
     

    Tried it. Didn't work.
     

    Well, I'm willing to lend a hand if it will improve the program,
    but I'm not sure how much more help I can be.
    FWIW, all day today Safari has been entirely consistent -- it
    refused to access the site even once. IE continues to kick up warning
    messages but allows me to get through. I've now entered four different
    URLs in IE's "trusted zone" preferences. The magical transferrence I saw
    before seems to have abandoned me.
    Perhaps you could suggest to your friend that they should build
    into Safari an accessible GUI option for managing these certificates
    (with warnings, if necessary), as Netscape and IE do. Not everyone is
    comfortable working in the Terminal to jury-rig these things.

    --
    ca
    dotlyc Guest

Similar Threads

  1. Question Safari do not recognize Flash Player
    By Unregistered in forum Brainstorming Area
    Replies: 0
    Last Post: March 24th, 02:19 PM
  2. Replies: 1
    Last Post: July 21st, 03:54 PM
  3. jaguar/safari/ SSL certificate
    By Zephrane in forum Mac Applications & Software
    Replies: 2
    Last Post: July 29th, 08:41 PM
  4. Certificate Server and Windows XP - Cannot install certificate
    By Justin Tyme in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 15th, 04:57 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139