10.9.5 Security Update breaks SSL certificate validation
| Originator: | ilja | ||
| Number: | rdar://20516764 | Date Originated: | 13-Apr-2015 |
| Status: | Open | Resolved: | |
| Product: | OS X | Product Version: | 10.9.5 |
| Classification: | Serious Bug | Reproducible: | YES |
With the April Security Update installed on OS X 10.9.5 (13F1077), the SSL certificate for eBay's API server does no longer validate. The very same certificate validates on 10.9.x w/o that security update installed and on 10.10.3. We have reason to believe that OS X 10.8 is hit by the same bug after installing the security update. As a result, our product - an eBay API client for OS X called GarageSale - no longer works for users running 10.9. Steps to Reproduce: 1. On 10.9.5, install April Security Update 2a. In Safari, go to https://api.ebay.com 2b. In Terminal enter: openssl s_client -connect api.ebay.com:443 -servername api.ebay.com Expected Results: 2a. Safari accepts the SSL certificate for https://api.ebay.com 2b. openssl verifies the SSL certificate as good Actual Results: 2a. Safari complains about an untrusted certificate 2b: openssl quits /w error: Verify return code: 20 (unable to get local issuer certificate) Version: 13F1077 Notes: Configuration: MacBook Pro 15", Mid 2010, 2,66 Ghz Core i7, i GB Ram Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!