Skip to content

Instantly share code, notes, and snippets.

@pudquick
Last active December 29, 2015 08:09
Show Gist options
  • Select an option

  • Save pudquick/7641160 to your computer and use it in GitHub Desktop.

Select an option

Save pudquick/7641160 to your computer and use it in GitHub Desktop.
gurl stuff
***Testing https://trustedsite.dev/ (Untrusted CA, unverifiable site)...***
Percent complete: 0
2013-11-24 12:22:08.057 Python[58711:1107] connection_canAuthenticateAgainstProtectionSpace_
2013-11-24 12:22:08.057 Python[58711:1107] Protection space found. Host: trustedsite.dev Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
2013-11-24 12:22:08.058 Python[58711:1107] Allowing OS to handle authentication request
Status: 200
Headers: {u'Content-Length': u'200', u'Content-Encoding': u'gzip', u'Accept-Ranges': u'bytes', u'Vary': u'Accept-Encoding', u'Keep-Alive': u'timeout=15, max=100', u'Server': u'Apache/2.2.14 (Ubuntu)', u'Last-Modified': u'Wed, 26 Aug 2009 18:37:54 GMT', u'Connection': u'Keep-Alive', u'Etag': u'"e000c-fd-4720fbfc0c480"', u'Date': u'Sun, 24 Nov 2013 20:25:15 GMT', u'Content-Type': u'text/html'}
mbp:gist7571880-64e49a6a3d6a693577ca6dd59e61c66271a7a443 mike$
***Testing https://trustedsite.dev/repo/catalogs/all (Client cert required)...***
Percent complete: 0
2013-11-24 12:23:29.788 Python[58722:1107] connection_canAuthenticateAgainstProtectionSpace_
2013-11-24 12:23:29.789 Python[58722:1107] Protection space found. Host: trustedsite.dev Realm: None AuthMethod: NSURLAuthenticationMethodServerTrust
2013-11-24 12:23:29.790 Python[58722:1107] Allowing OS to handle authentication request
2013-11-24 12:23:29.820 Python[58722:1107] connection_canAuthenticateAgainstProtectionSpace_
2013-11-24 12:23:29.821 Python[58722:1107] Protection space found. Host: trustedsite.dev Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate
2013-11-24 12:23:29.821 Python[58722:1107] Allowing OS to handle authentication request
Status: 200
Headers: {u'Content-Length': u'1145', u'Accept-Ranges': u'bytes', u'Keep-Alive': u'timeout=15, max=100', u'Server': u'Apache/2.2.14 (Ubuntu)', u'Last-Modified': u'Fri, 28 Aug 2009 18:14:30 GMT', u'Connection': u'Keep-Alive', u'Etag': u'"e0016-479-47237a7c02d80"', u'Date': u'Sun, 24 Nov 2013 20:26:37 GMT', u'Content-Type': u'text/plain'}
mbp:gist7571880-64e49a6a3d6a693577ca6dd59e61c66271a7a443 mike$
mbp:gist7571880-64e49a6a3d6a693577ca6dd59e61c66271a7a443 mike$ cat /tmp/foo
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>catalogs</key>
<array>
<string>testing</string>
</array>
<key>description</key>
<string></string>
<key>display_name</key>
<string>Hello World</string>
<key>installed_size</key>
<integer>236</integer>
<key>installer_item_location</key>
<string>HelloWorld.dmg</string>
<key>installer_item_size</key>
<integer>183</integer>
<key>minimum_os_version</key>
<string>10.4.0</string>
<key>name</key>
<string>Hello World</string>
<key>receipts</key>
<array>
<dict>
<key>filename</key>
<string>Hello World.pkg</string>
<key>installed_size</key>
<integer>236</integer>
<key>packageid</key>
<string>foo.bar.helloWorld.helloWorld.pkg</string>
<key>version</key>
<string>1.0.1.0.0</string>
</dict>
</array>
<key>uninstall_method</key>
<string>removepackages</string>
<key>uninstallable</key>
<true/>
<key>version</key>
<string>1.0.1.0.0</string>
</dict>
</array>
</plist>
mbp:gist7571880-64e49a6a3d6a693577ca6dd59e61c66271a7a443 mike$
*****
Notes:
2 types of connection:
- Self-signed servers with a self-created CA:
- Need to have the CA in and trusted
- Need to have the site in and trusted (as the signer is verified, but the cert itself can't be verified)
- Working with a client cert (with an otherwise trusted site):
- Need to have a client cert, but does NOT need to be trusted
- Need to have an identity preference set for https://thesite/
Additional notes:
- Generating an importable .pem file for the site:
- echo | openssl s_client -connect web.site:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > site.pem
security create-keychain -p munki munki.keychain
security unlock-keychain -p munki munki.keychain
# Disables lock timeout
security set-keychain-settings munki.keychain
security list-keychains -d user
# Necessary for 10.9 as keychain creation does not add it to the search list
security list-keychains -d user -s ~/Library/Keychains/login.keychain ~/Library/Keychains/munki.keychain
echo | openssl s_client -connect web.site:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/Desktop/certs/site.pem
security import ~/Desktop/certs/ca.pem -k munki.keychain
security import ~/Desktop/certs/site.pem -k munki.keychain
security import ~/Desktop/certs/client.pem -k munki.keychain
vs. ... ?
security add-trusted-cert -k munki.keychain ~/Desktop/certs/ca.pem - good
security add-trusted-cert -k munki.keychain ~/Desktop/certs/client.pem - problem
security add-trusted-cert -k munki.keychain ~/Desktop/certs/site.pem - problem
# Get the hash of the imported client:
security find-certificate -c munki_client -Z munki.keychain | grep 'SHA-1 hash'
# Use that to create an identity
security set-identity-preference -s 'https://web.site/' -Z hash.here munki.keychain
... doesn't matter if you specify a keychain, it's added to the login.keychain
@Jaharmi

Jaharmi commented Nov 25, 2013

Copy link
Copy Markdown

What about “-d -r trustAsRoot” or importing the CA via a profile (both as admin)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment