Safari prefers an untrusted certificate chain when a trusted certificate chain is available
| Originator: | J.Robin.Alden | ||
| Number: | rdar://19092761 | Date Originated: | 28-Nov-2014 |
| Status: | Closed - Duplicate of 18595721 | Resolved: | Yes |
| Product: | OSX/Safari | Product Version: | 10.10.1+ |
| Classification: | Reproducible: | Yes |
Summary: When an affected Mac receives an S/MIME email signed by a certificate that chains to the "COMODO RSA Certification Authority" root certificate, that root certificate is added to the "login" Keychain. (This is because the "COMODO RSA Certification Authority" root certificate is still waiting to be accepted into the Apple Root Certificate Program). Then, when Safari browses to an HTTPS site whose certificate chain terminates with the trusted "AddTrust External CA Root" root certificate but which also includes the "COMODO RSA Certification Authority" CA, Safari selects the untrusted chain and displays a warning. Steps to Reproduce: 1. Receive a signed email that is accompanied by a certificate chain that terminates with the "COMODO RSA Certification Authority" root certificate. 2. Observe that the "COMODO RSA Certification Authority" root certificate has been added to the "login" Keychain. 3. Browse to https://home.comparethemarket.com Expected Results: Safari should display the webpage at https://home.comparethemarket.com without showing any certificate warnings. Then, after clicking the SSL padlock, the trusted certificate chain shown by safari_ok.tiff should be displayed. Actual Results: The browser warning shown by safari_warning.tiff is displayed. Then, after clicking the SSL padlock, the untrusted certificate chain shown by safari_broken.tiff is displayed. Version: We didn't see this bug before last week, so we're guessing that it was introduced by OSX 10.10.1. Notes: To obtain a free secure email certificate with which to reproduce this problem, go to: https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate This bug definitely occurs if the signed email is sent using Outlook on Windows. (Other mail clients may attach a different certificate chain to the signed email, in which case this bug might not be triggered). Configuration: This bug doesn't occur with a default install of OS X. But as soon as the "COMODO RSA Certification Authority" root certificate has been added to the "login" Keychain (which happens automatically when that root certificate is encountered in a signed email), the bug occurs consistently.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
With the release of OS X 10.10.4 on or around 31-June-2015, although the underlying problem still seems to occur (i.e. the root is added to the Login keychain) but Safari no longer complains about it.
Per-client resolution
A Mac computer (client) can be 'fixed' by having the user delete the “COMODO RSA Certification Authority” root from the ‘Login’ keychain. To do that: * Click on the magnifying glass in the upper right hand corner to open up Spotlight search In the search field type: keychain access Click on Keychain Access Click the 'Login' keychain in the list that appears to the top-left Find and delete the 'COMODO RSA Certification Authority' from the 'Login' KeyChain