{"id":8514,"date":"2014-03-04T15:45:25","date_gmt":"2014-03-04T20:45:25","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=8514"},"modified":"2014-03-04T15:45:25","modified_gmt":"2014-03-04T20:45:25","slug":"apple-openssl-verification-surprises","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2014\/03\/04\/apple-openssl-verification-surprises\/","title":{"rendered":"Apple OpenSSL Verification Surprises"},"content":{"rendered":"<p><a href=\"https:\/\/hynek.me\/articles\/apple-openssl-verification-surprises\/\">Hynek Schlawack<\/a> (via <a href=\"https:\/\/twitter.com\/optshiftk\/status\/440601658284724224\">Kyle Sluder<\/a>):<\/p>\n<blockquote cite=\"https:\/\/hynek.me\/articles\/apple-openssl-verification-surprises\/\"><p>Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software.<\/p>\n<p>[&#8230;]<\/p>\n<p>The reason for this unexpected behavior is that Apple is trying to be helpful.  Certificate validation and especially trust databases are a hassle and OpenSSL&rsquo;s handling of them is rather user-hostile.  So Apple <a href=\"http:\/\/opensource.apple.com\/source\/OpenSSL098\/OpenSSL098-35.1\/src\/crypto\/x509\/x509_vfy_apple.c\">patched<\/a> a Trust Evaluation Agent (TEA) into their OpenSSL.  It gives failed verifications a second chance using the system keyring as trust&nbsp;store.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Hynek Schlawack (via Kyle Sluder): Apple ships a patched version of OpenSSL with OS X. If no precautions are taken, their changes rob you of the power to choose your trusted CAs, and break the semantics of a callback that can be used for custom checks and verifications in client software. [&#8230;] The reason for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[38,30,179,48],"class_list":["post-8514","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-apple","tag-mac","tag-openssl","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/8514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=8514"}],"version-history":[{"count":0,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/8514\/revisions"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=8514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=8514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=8514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}