How to fix SSL errors in Mac OS X browsers

So you know about SSL (or rather TLS) and you prefer things secure, so you request and pay for an officially signed certificate and configure your Apache to use it. The next days you’re feeling very Kevin Mitnicky, until some nitwit on Twitter trashes you for the ugly error-message he sees when trying to visit your supposedly “secure” site that is. What’s up with that?

Well, chances are that your disgruntled visitor was using a browser you didn’t test on, like Chrome on Mac for example? Because there is a small issue you have to take into account when “doing https”; both Chrome and Safari (but not Firefox) on Mac use OS X’s keychain, which does not have some of the intermediate certificates needed to establish the trust relationship between your signed certificate and the certificate authority’s root certificate.

As you can’t expect Apple to add intermediate certificates to their keychain by default (which Firefox does a pretty good job though) and you can’t ask all your OS X users to add the intermediate certificate by hand either,  you’ll have to solve this yourself. A good thing Apache can help you in that department with it’s SSLCertificateChainFile directive, which

sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

If there’s only one intermediate certificate missing between your’s and the CA’s, you can export it in good old Firefox (as a pem-file), place it in the same directory as the actual certificate and use SSLCertificateChainFile to tell Apache where to find it and that should solve the nasty errors those Twittering Mac-heads get.

14 thoughts on “How to fix SSL errors in Mac OS X browsers

  1. Philip Paeps

    Ehm… If I remember from my last reading of the TLS spec, you’re _supposed_ to list all intermediate certificates between you and your trust anchor. This strikes me as the only way it can work too (provided you subscribe to the idea that PKI can “work” at all — outside a fully managed organization).

    Do you read the spec differently?

    Reply
    1. Philip Paeps

      Please read RFC 5246 7.4.2. My interpretation is that _only_ the root certificate may be omitted, since one may assume that the client will already have it. There is nothing there about assuming that the client will have any intermediate certificates too.

      As I wrote earlier: this also strikes me as the only reasonable interpretation. In general, you don’t want your root certificates to directly sign leaf certificates. You want your root certificates to live somewhere offline, and delegate authority to intermediate certificates.

      So — don’t blame Apple I think. You just misconfigured your webservers because you read “optional” as “don’t need it”.

      Reply
      1. frank Post author

        thanks for the info Philip, that’s an obvious reason for the errors we got. guess we’re just too spoiled with other browsers/ os’es that do come with intermediate certificates of e.g. verisign ;-)

  2. Philip Paeps

    Calling it “spoiled” is a completely different discussion, I think.

    The way PKI is currently deployed on “the web” is fundamentally broken. On the one hand, you have client software conflating “trust” with “validity”, and on the other you have completely untrustworthy “trusted third parties”.

    Web browsers should not ship with root certificates in the first place. Shipping intermediate certificates too is only making the problem worse.

    Unless the world can come up with a working “trusted third party” model, the only way TLS can work, is the way SSH does: asking to verify fingerprints out of band.

    Reply
  3. Peter

    I’m afraid you completely misunderstood this part of SSL.

    As a webserver administrator you are *REQUIRED* to use SSLCertificateChainFile to list all intermediate certificates. If you do not, you get the error you posted. This is true for *ALL* browsers, regardless of the OS or brand of browser.

    However, if you would surf to another site that uses the same certificate authority, the browser can save these intermediate certificates so it does not need to redownload them in case another site wishes to use the same intermediate certificates.

    This means that if your webserver administrator forgets the SSLCertificateChainFile he/she might not notice it as the intermediate certificate might already present in his browser. Although the site seems to be working, the configuration is incorrect.

    So, to summarize, your conclusion is incorrect. This is a problem for all browsers on all operating systems, the only correct conclusion is that if you forget the SSLCertificateChainFile you might not notice it if your browser already has a cached version from another site.

    Reply
    1. frank Post author

      you’re absolutely right peter; i created a new user and installed a clean version of firefox, there’s no intermediate certificates to be found. these are added while surfing and are listed as being in the “software security device”, whereas root certs are in the “builtin object token”.

      Reply
    2. Philip Paeps

      I’m not sure I understand this “optimization” of not having to “download” the intermediate certificates again.

      The intermediate certificates are sent as part of the server hello message in the TLS handshake. A client has no control over whether or not they are ‘downloaded’ again: they’re pushed.

      Why would a client want to cache them?

      Reply
  4. allyza

    Hello. I am having trouble with this SSL thing.
    So on the left corner of the link, there’s like a paper icon that is folded on the right corner. Then I tried to click it and its says:
    “The identity of this website has not been verified”
    “Your connection is not encrypted”
    “You have never visited this site before”
    I have a MacBook (white one) and its really pissing me off. Whenever I try to tinychat with my friends and it says “Allow or Deny” your mic, it just stucks right there. I dont know how to fix this. Can someone please help me AS SOON AS POSSIBLE? Please this is driving me crazy :(

    Reply
  5. Kristen

    how do i fix SSL connection error 107 on a Macbook pro? PLEASE HELP IMMEADIATLY. I have a presentation due its 60% of my grade and its on google docs which I cant log into BECAUSE OF THIS STUPID ERROR!
    PLEASE PLEASE PLEASE SOMEONE HELPPPPP MEEEEEEEEE :(

    Reply
  6. Pingback: Error: The site’s security certificate is not trusted? | Ask & Answers

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>