Tuesday, March 4, 2014

Apple OpenSSL Verification Surprises

Hynek Schlawack (via Kyle Sluder):

Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software.

[…]

The reason for this unexpected behavior is that Apple is trying to be helpful. Certificate validation and especially trust databases are a hassle and OpenSSL’s handling of them is rather user-hostile. So Apple patched a Trust Evaluation Agent (TEA) into their OpenSSL. It gives failed verifications a second chance using the system keyring as trust store.

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment