Mac OS X, SSL and self-signed certificates

KeychainMany web sites want to use SSL to encrypt the transfer of data to prevent transmission of authentication data or to make sure the data is not modified during traffic. A good example for the latter was the operation of the insert_coin proxy server at Easterhegg. Because it was modifying all incoming http traffic, modifications to our CampWiki system became inadvertently corrupted. In addition, my password got sniffed as well. Using unencryped tools at a hacker con is a bad idea anyway :-)

If you want to do SSL you need a Certifying Authority (CA) to sign your certificate, giving proof to your claim that you are who you pretend to be. The problem is who this CA should be. Typically, web browsers and https subsystems only have a small selection of trusted CA‘s. Getting signed by them costs money. So what if you just want the encryption to prevent the above mentioned attacks but you don‘t care about the extended trust principle behind it and you don‘t want to spend the money?

Well, you could open your own CA and sign your own certificate. Many sites are doing this, including the Chaos Computer Club and this is valid for CampWiki and the Camp Registration Server as well.

Usually this is not a big problem. Mozilla allows you to store the CA file locally and is therefore ideal. But on Mac OS X applications like Safari, Kung-Log and NetNewsWire actually use a system-level protocol service to do http and https and have no direct influence on which CAs are accepted and which are not. Unfortunately, Apple does not yet provide a tool to change the list of trusted CAs accepted by the operating system.

But there is a workaround. A helpful article a Mac OS X Hints (a very useful resource anyway) shows a way how to do it. Although the article just mentions Safari, it should work with all compliant programs using the same subsystem.

This is what you have to do on the command line (using an account having administrator privileges):

  1. Get a copy of the original CA certificate.

    You find the CCC CA here: http://www.ccc.de/ca/cacert.pem
  2. Copy the system keychain file containing the trusted CA certificates to your home directory keychain area:

    cp /System/Library/Keychains/X509Anchors ~/Library/Keychains/
  3. Add the new CA certificate to this keychain in your home directory:

    certtool i cacert.pem k=X509Anchors
  4. Move the modified file back to it‘s system location:

    sudo mv ~/Library/Keychains/X509Anchors /System/Library/Keychains/

And you are done. Now you can read the CCC‘s web sites without having to accept warning messages first with Safari and you can subscribe to RSS feeds via https that are using self-signed certificates with NetNewsWire (since version 1.0.3). Unfortunately, this trick does not (yet) work with the current beta version of OmniWeb (4.5b2) but this might be just temporary.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.