[SmartcardServices-Users] Searching Directory Services for certificates in Lion

Shawn Geddis geddis at me.com
Mon Mar 5 09:58:15 PST 2012


Tim,

Just to be clear to everyone, this message thread has nothing to do with SmartCardServices (this list), but rather Certificate handling on OS X when used by Mail...

I will be quick to agree with you that things should just work and if the Mac in question is indeed bound to AD, it should just pull the certificate from the DS.  Now if it does not it would either be a configuration problem (system not configured with AD for contacts tab — see Directory Utility —OR— a failure during setup to configure as such) or back to the age old issue of case mismatch between certificate (RFC822Name) and that being used for sending the email message.   

OK, well I should include a potential third option as “a bug” :-)  I believe it would be helpful to the community to leverage bug submissions and tracking.  Apple can’t be sure we know about all issues/scenarios unless we either are receiving crash reports or folks are submitting bug reports.  


> Lastly, does anyone know any plist majick to set a stronger default cipher suite for Mail to use?

Sadly, not at this time.  For list users, Mail.App defaults to using SHA-1 / 3DES for the Creation of messages.  Mail.App will, however, properly validate messages received using SHA-256 / AES as well.  Once again, this would be very good to have and I would encourage you and others to submit bug reports on the lack of selecting stronger cipher suites for Mail.  This is, by the way, possible in Outlook for the Mac — just need to be exposed within Mail.App.

-Shawn
__________________________________________________
Shawn Geddis				  			   geddis at me.com
Security Consulting Engineer                              geddis at apple.com

MacOSForge Project Lead:                           Smart Card Services                                                      
	Web:	http://smartcardservices.macosforge.org/
	Lists:	http://lists.macosforge.org/mailman/listinfo
__________________________________________________


On Mar 5, 2012, at 8:26 AM, Miller, Timothy J. wrote:
> I appreciate that, Shawn, but I can't help but feel if the system is bound to AD the setup script should make it Just Work for cached network accounts.   :)  Suffice to say it doesn't.  While I'm all for dropping Radar tickets, my experience with that has been, shall we say, not the best (it's a one-way information flow among other issues).
> 
> Basically, there seems to be a disconnect re: what Address Book does and Mail does.  Address Book seems fine, but when Mail goes to dereference addresses it won't pull the cert.  I need to be off VPN long enough to run some tests, but my current working theory is that Mail is expecting userSMIMECertificate to be populated, whereas Address Book looks for both userSMIMECertificate and userCertificate.
> 
> Lastly, does anyone know any plist majick to set a stronger default cipher suite for Mail to use?
> 
> -- T
> 
> 
> On Mar 3, 2012, at 1:15 AM, Shawn Geddis wrote:
> 
>> Keep in mind that you need to have enabled this in Keychain Access by selecting the “Search directory services for certificates” and having the appropriate Directory Server configured via Directory Utility.  
>> 
>> If you have both KA & DU configured properly, you should file a bug and provide extensive profile/logging information.
>> 
>> Running the command line simply verifies the the system CAN locate a certificate, but be careful of the case sensitivity on the local part of the RFC822Name as we had noted so many times no this list.  If you are trying to encrypt a message to someone and you are entering their address using an alternate version of the address (ie. case variance) then Mail will not be able to locate and use the certificate.  
>> 
>>> Even searching the contact in the GAL displays the correct cert for the contact.
>> 
>> 
>> What are you performing to do a search in the GAL, Address Book ?  dscl ?  using Outlook ?
>> 
>> - Shawn
>> ________________________________________
>> Shawn Geddis   
>> Security Consulting Engineer 
>> Apple Enterprise Division
>> 
>> On Feb 29, 2012, at 12:11 PM, Hoit, Daniel S. wrote:
>>> Seeing the same issue here. Address book works fine, but Mail won't pull from DS. If the certs in the login keychain it works, but its not working from DS.
>>> 
>>> 	--DH
>>> 
>>> On Feb 16, 2012, at 10:30 AM, JEFFREY COMPTON wrote:
>>>> Is anyone else having trouble with Mail.app in Lion searching directory services for certificates?
>>>> 
>>>> From command line - it works like a charm - for example --
>>>> 
>>>> security find-certificate -e mycoworker at ourdomain.org -p > downloadedcert.pem; security import downloadedcert.pem -k login.keychain
>>>> 
>>>> But from Mail.app - no go.
>>>> 
>>>> Even searching the contact in the GAL displays the correct cert for the contact.
>>>> 
>>>> Thanks.
>> _______________________________________________
>> SmartcardServices-Users mailing list
>> SmartcardServices-Users at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/smartcardservices-users








-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4360 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/smartcardservices-users/attachments/20120305/5e00126b/attachment-0001.bin>


More information about the SmartcardServices-Users mailing list