[Keychain] Add an option to clear the CRL and OCSP certicate caches
Originator: | king7532 | ||
Number: | rdar://30096489 | Date Originated: | 19-Jan-2017 10:27 AM |
Status: | Open | Resolved: | |
Product: | macOS | Product Version: | 10.12.2 |
Classification: | UI/Usability | Reproducible: | Always |
# Summary: Safari, Chrome and cURL cannot connect to certain websites because of an invalid SSL certificate chain in the CRL and OCSP caches. # Steps to Reproduce: 1. Open a URL to site where the certificate chain is invalid. On my mac, Safari and cURL cannot connect to https://files.pythonhosted.org $ /usr/bin/curl --remote-time --location --user-agent Homebrew/1.1.7 (Macintosh; Intel macOS 10.12.2) curl/7.51.0 --fail https://files.pythonhosted.org/packages/05/25/7b5484aca5d46915493f1fd4ecb63c38c333bd32aa9ad6e19da8d08895ae/docutils-0.13.1.tar.gz -C 0 -o /Users/king/Library/Caches/Homebrew/mpv--docutils-0.13.1.tar.gz.incomplete % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: Invalid certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. # Expected Results: Safari and cURL should be able to connect to the website using the system certificates. # Actual Results: curl: (60) SSL certificate problem: Invalid certificate chain Safari: Can’t connect to website # Workaround: Delete the CRL and OCSP caches: OS X (through 10.11) To delete both OCSP and CRL cache, in a terminal, enter the following command: sudo rm /var/db/crls/*cache?.db OS X 10.12 Sierra To delete both OCSP and CRL cache in OS X 10.12, open a terminal and run the following command: sqlite3 ~/Library/Keychains/*/ocspcache.sqlite3 'DELETE FROM ocsp;' # Solution Please add a menu option to the Keychain.app (and a command line option) for the user to easily delete the CRL and OCSP certificate caches, so the user does not have to resort to manually deleting files in the /var/db/crls and modifying the local keychain using sqlite3. Thank you.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!