3g91ld3a

Q: OSX 10.8/10.9 repair of 2048-bit certificates-based for L2TP over IPsec VPN

Dear Apple Team,

 

I respectfully request that you repair the "native" VPN client built into OS X 10.8, and iOS 6. The problem is, the VPN client is mangling the certificate payload for certificates larger than 1024 bits. This is a fragmentation problem; when the client hits the standard ~1500 MTU of most network devices, it fragments the certificate. Fragmenting it is fine, but the client is not handling it correctly. The effect is that users with 2048-bit certs or higher cannot get on the VPN. The VPN server observes a faulty certificate or faulty payload. I have spoken with Enterprise support, who were most professional, and excellent, however, they indicated there was no support for the native client. Yet, since this *used* to work in iOS5 and below, as well as 10.7 and earlier, clearly something has broken in 10.8 and iOS6.

 

We all love using our iPads, iPhones, and OS X  devices in business. Please keep it that way and restore this lost functionality; any security-conscious organization that requires certificates for VPN will also require 2048-bit certificates (or more).

 

You can see more detail here: https://discussions.apple.com/thread/4158642?start=0&tstart=0

 

Thank you very much.

MacBook Air, OS X Mountain Lion (10.8.2)

Posted on Feb 2, 2013 3:26 PM

Close

Q: OSX 10.8/10.9 repair of 2048-bit certificates-based for L2TP over IPsec VPN

  • All replies
  • Helpful answers

  • by Lanny,

    Lanny Lanny Feb 2, 2013 8:30 PM in response to 3g91ld3a
    Level 6 (8,041 points)
    Desktops
    Feb 2, 2013 8:30 PM in response to 3g91ld3a

    This is an Apple Users forum, made up of people like yourself, not Apple personnel.

     

    Please send your request to Apple by using: http://www.apple.com/feedback/macosx.html

  • by leroydouglas,

    leroydouglas leroydouglas Feb 2, 2013 9:14 PM in response to 3g91ld3a
    Level 7 (23,937 points)
    Notebooks
    Feb 2, 2013 9:14 PM in response to 3g91ld3a

    If  you want to report it to Apple's engineers, send a bug report  via its Bug Reporter system. To do this, join the Mac Developer Program—it's free and available for all Mac users and gets you a look at some development software. Since you already have an Apple username/ID, use that. Once a member, go to Apple BugReporter and file your bug report. You get a response and a follow-up number thus starting a dialog with engineering.

  • by garz75,

    garz75 garz75 Feb 24, 2013 11:44 AM in response to 3g91ld3a
    Level 1 (0 points)
    Feb 24, 2013 11:44 AM in response to 3g91ld3a

    Hello 3g91ld3a,

     

    As the other people on this thread suggested, did you join the Mac Developer Program and had a chance to file a bug ? I have the same problem with my certificates. I can not change them to 1024bits, by company policy. This bug has been addressed in iOS 6.1, it needs to be solved for OS X as well...

     

    Thanks for caring and trying to contact Apple about this.

  • by sokratisg,

    sokratisg sokratisg Jun 5, 2013 4:34 PM in response to 3g91ld3a
    Level 1 (0 points)
    Jun 5, 2013 4:34 PM in response to 3g91ld3a

    I had the same problem with 2048bit certificate based IPSec VPN (Apple Cisco default client).

    With the 10.8.4 update I did just earlier this problem is solved and racoon is working ok with IKEv1 fragmentation!