[SmartcardServices-Users] CAC-NG 10.5.8 repeatedly rejects certs

Shawn A. Geddis geddis at mac.com
Wed Jul 21 12:33:47 PDT 2010


On Jul 15, 2010, at 10:18 AM, John Daly wrote:
> Greetings,
> 
> I have to add a “me too” to those folks who have installed the CAC-NG tokend and find that while the keychain shows their certs, and they can set up identity preferences to use those certs, when trying to use Safari to get to a site, you get an error message requesting that you select a certificate.  No matter what certificate is selected, you just get the selection again.  Reading the text of the selection box, you find that it says the site has rejected the certificate and is therefore requesting another.
> So, here are the additional things that I have done which I have not seen in any of the previous posts about this issue.
> 
> I have only 3 people who have the CAC-NG card at this time.  One of those has a new machine which is running 10.6.  I installed the CAC-NG tokend and her system functions (mostly) beautifully.  The 10.5.8 system exhibits the behavior above.  I took the CAC card from the person on the 10.5.8 system to the 10.6 system and used it there successfully, indicating that the problem is not that there is something wrong with her certificates.  Both cards work in the 10.6 system.  Neither card works in the 10.5.8 system.
> 
> Finally, I set the debugger as Shawn outlined in a previous post.  These are the results.  The timestamp indicates that these results are logged at the moment in which Safari is attempting to log into a CAC-enabled website (https://webmail.west.nmci.navy.mil in this case).  For privacy reasons, I’ve replaced the actual certificate name with <CAC_Certificate>.  This string of errors shows up in the system.log every time I try to log into a CAC-enabled site.
> 
> Jul 14 15:43:36 mac /Applications/Safari.app/Contents/MacOS/Safari[75221]: preferred identity: "<CAC_Certificate>" found for "https://webmail.west.nmci.navy.mil/exchange"
> Jul 14 15:43:36 mac /Applications/Safari.app/Contents/MacOS/Safari[75221]: lookup complete; will use: "<CAC_Certificate>" for "https://webmail.west.nmci.navy.mil/exchange"
> Jul 14 15:43:37 mac securityd[22]: securityd(22,0xb0081000) malloc: *** error for object 0x121f000: pointer being freed was not allocated\n*** set a breakpoint in malloc_error_break to debug
> Jul 14 15:43:37 mac com.apple.SecurityServer[22]: securityd(22,0xb0081000) malloc: *** error for object 0x121f000: pointer being freed was not allocated
> Jul 14 15:43:37 mac com.apple.SecurityServer[22]: *** set a breakpoint in malloc_error_break to debug 
> 
> -- John Daly
> Apple Certified Technical Coordinator
> Sysadmin 474300D

John,

The 10.6 CAC-NG Tokend has all of the known issues addressed (other than needing additional support for the 128K CAC-NG variant) and the 10.5 CAC-NG Tokend still needs additional work.  So, your results are not out of line at all, but are not experienced by all users either.  Keep checking - hope to get patches in soon.  Keep checking the site or ensure to add the RSS feed so you know the moment it is posted.  

The "malloc" erros you refer to above are actually a red herring for this ... 

-Shawn
__________________________________________________
Shawn Geddis				  			   geddis at mac.com
Security Consulting Engineer				   geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                                 
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/c0feb9f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20100721/c0feb9f2/attachment.bin>


More information about the SmartcardServices-Users mailing list