升级到 Mac OS X 10.11.4 后,我开始看到证书无效的报告

tag-icon tag-icon certificate
升级到 Mac OS X 10.11.4 后,我开始看到证书无效的报告

这周我将 Mac OS X 10.11.3 升级到了 10.11.4,升级之后我发现打开一些软件,比如 Xcode 模拟器下载页面,或者 HMA 客户端(一个 VPN 客户端),都会报错:下面是无效证书:

"Could not download and install OS X 10.11.4 Documentation. The certificate for this server is invalid. You might be connecting to a server that is pretending to be “devimages.apple.com.edgekey.net” which could put your confidential information at risk."

或者:

"System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0x5
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.RemoteValidation (Mono.Security.Protocol.Tls.ClientContext context, AlertDescription description) [0x00000] in <filename unknown>:0 "

在系统日志中,我还看到:

17467     error=Error Domain=kCFErrorDomainCFNetwork Code=-1202 "The certificate for this server is invalid. You might be connecting to a server        that is pretending to be “setup.icloud.com” which could put your confidential information at risk."                                               UserInfo={NSErrorFailingURLStringKey=https://setup.icloud.com/configurations/init, NSLocalizedRecoverySuggestion=Would you like to connect        to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, kCFStreamPropertySSLPeerCertificates=(
17468         "<SecCertificate 0x7fdaba571060 [0x7fff7abb5440]>",                                                                                 
17469         "<SecCertificate 0x7fdaba551430 [0x7fff7abb5440]>"
17470     ), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrust 0x7fdaba412b20 [0x7fff7abb5440]>,                   NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “setup.           icloud.com” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, NSErrorFailingURLKey=https://setup.icloud.        com/configurations/init, _kCFStreamErrorCodeKey=-9807}, httpStatusCode=-1, responseHeaders=
17471     (null)

但是,如果我在同一台机器上创建一个新的管理员帐户,问题就消失了。我不确定哪里出了问题,我可以修复它吗?

请帮我修复它!谢谢!

答案1

因此,在 Radar 上提交错误后,Apple 员工告诉我检查钥匙串 - 偏好设置 - 证书选项卡。

将 CRL 设置从 更改为require if certificate indicatesBest attemptoff问题就消失了。

因此看起来,“系统根”下的某些 CA 证书已经过期。

因此我们有两个选择:

  1. 保留 CRL 作为最佳尝试(不确定这会削弱系统安全性多少)
  2. 按照以下步骤删除过期的系统根证书安全性:SecKeychainItemDelete:在 OS X 上尝试删除系统根过期证书时出现 UNIX[不允许操作]

相关内容