Mac OS X Lion 10.7.2 update breaks SSL

Hi mcandre,

Are you using a wi-fi portal, sometimes called a captive portal, to get to the internet?

Yes, I work at Brock University and we are having the same problem here. Many usinveristies and colleges are having the same problem all over. It is the portal actually. It is not allowing the certificate checking to happen. When these checks are blocked, Lion interprets this as a hijack of the captive portal and blocks all apps that use the Aplpe webkit from accessing the net. Your firefox is probably set to ignore OSCP and CRL checks and this bypasses the keychain to do this.

What I am finding is, when the check can't happen because the portal blocks it, a bad key called unkown shows up in the keychain. After this happens, you cannot even open the keychain app. it beachballs. If you boot from the recover drive (holding command + R) and then go to the disk utility, repair drive, and repair permissions; you can then reboot and get t the keychain.

You can delete the bad certificate and all works well.

For a few hours to a day or so. The next time you go to the portal after being timed out, it tries to check and you start all over again with the problem.

What we have found is, when the portal allows the machine to get out to check whatever certs it needs to athenticate on the portal itself, the keychain does what it needs to do and then the machine works normally. You must not be the onyl person at your University with this problem in 10.7.2. Call your helpdesk and tell them to look it up. It is all over the forums now.

The workarounds only work for a little while, allowing the certificate revokation checks at the portal seems to solve this. We have so far had no one coming to our helpdesk since we made this change this morning.

I will follow this discussion and report back if anything changes.

If you support people at the university want to know more about this issue, point them at

http://airheads.arubanetworks.com/vBulletin/showthread.php?t=4451

That should get them on the right track.

I think I am having this same issue. After waking up my MBP, it takes about 3-4 minutes for it to connect to a website in both Safari and Google Chrome. Emails come in fine in Outlook as Wi-Fi is connected okay. This delay just started happening when I updated to 10.7.2. It doesn't matter what Wi-Fi I'm on as this problem occurs both at home and school. Does this sound like the same issue you all are having?

same troubles here, this is a really serious issue. for now i'm hardly able ot use my mac anymore. apple please have a serious look at this!

i checked with packet peeper and i can see that safari/chrome is connecting to the ssl server and the server is responding, but then obiously something goes wrong. afaik my keychain is set to ignore OSCP and CRL but i can't confirm it because i can't open keychain!!!

I've figured out a fix. The issue is happening because the captive portal replies to EVERYTHING. I adjusted the captive portal's DNS to give bad results for OCSP and CRL sites. I used 127.0.0.1 in this case. The requests now timeout instead of giving back incorrect data. It also works locally by changing "/private/etc/hosts" and adding entries like this:

127.0.0.1 crl.usertrust.com

127.0.0.1 ocsp.usertrust.com

127.0.0.1 crl.incommon.org

127.0.0.1 ocsp.incommon.org

The correct entries may depend on the CA for the certificate. I found these addresses while watching the connection using Wireshark.

unfortunately i don't even have a captive portal here. independ of which wireless / wired connection i'm using, this problem still occures.

after a reboot i can open keychain, but then as soon as i try to connect to certain HTTPS pages, keychain freezes up and the page times out. for some strange reason, sometimes i'm able to open one or two SSL encrypted pages until the problem happens. I also moved away my login keychain and created a new one and tested with another user on my mac book, still, always the same issue.

it is also independent if i set OCSP/CRL to "Off" or "Best Attempt"

i really really hope apple can resolve this quickly or somebody figures out a workaround!

It might be that your ISP has their DNS server to respond to all queries. Like if you type in http://www.disnaylannds.com/ by accident, there should be no response to a DNS query, but your ISP might give one and send you to their search page. In this case, keychain will try to get the OCSP/CRL info from a page which is not formated correctly. I believe this is what is causing that bad certificate. Apple needs to fix their parser so that it can realize the formating is not correct before it tries to add the certificate and crash the keychain.

Try the Google DNS servers (8.8.8.8, 8.8.4.4) to see if it helps.

thanks for the tip, i tried it but unfortunately doesn't work either.

I did a trace with wire shark and i can see that the TLS negotioation phase seem to be successfull. at least it looks very much the same as if i do it with firefox, in which case it works.

after the initial handshake phase, when the client should start to send the encryted payload, there's no more traffic and a timeout after about 20sec happens.

i can also provide the dump if somebody think's it would be of some use.

i just wonder if more people are experiencing the same issues? there are some posts which look similar, but most focus on to the captive portal part, which i still think doesn't really apply for my case. I'm also not connecting to random (wrong) https sites but to for example https://www.apple.com .

many thanks again for your help

Yes, I'm experiencing this too (using 10.7.2). Not sure exactly when this started happening as I use Firefox most of the time, but now Safari+Chrome+most other services that use SSL hang.

What is going on??

I was bit by this issue early on.

I believe this has been the worst update ever. Of course being used to perfection (tiger,leopard,snow leopard) is weird that something like this creeped up.

I am posting here to be notified if someone find a more permanent solution.

There are some solutions in the links below:

http://superuser.com/questions/347316/lion-unable-to-load-ssl-sites

http://superuser.com/questions/349740/mac-os-x-lion-10-7-2-update-breaks-ssl

Best,

Fotis

I posted my solution to this on SuperUser: http://superuser.com/questions/349740/mac-os-x-lion-10-7-2-update-breaks-ssl/365 333#365333

I was having these types of problems at work. None of the suggested fixes worked permanently (although several of them worked temporarily). I upgraded to Lion 10.7.3, and the problems seem to have gone away.

For completeness, I'll briefly describe my problem on Lion 10.7.2: Our ArubaNetworks wireless access required a username and password. After I enter the username/password, the browser hangs. After that, any operation requiring network access or a certificate would hang. If I started up Keychain Access, it would hang and not display the main screen. I have lots of apps on my MacBook, but I had the opportunity to try this at work on a virgin system and had the same problem.

After upgrading to 10.7.3, this problem went away. I no longer had the above problems. About 7 days after I installed 10.7.3, our network manager removed the username/password requirement (which would probably have made the problem go away too).