I did find a reference to this being a bug fix in 10.7.4 Lots of companies are deprecating certificate support for certificates that are less than 2048bit. I wonder if Apple has just handled this really bad.(IE, 1024 and less, unlike the description below)
*libsecurity* Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3 Impact: Support for X.509 certificates with insecure-length RSA keys may expose users to spoofing and information disclosure Description: Certificates signed using RSA keys with insecure key lengths were accepted by libsecurity. This issue is addressed by rejecting certificates containing RSA keys less than 1024 bits. CVE-ID CVE-2012-0655 On Mon, May 14, 2012 at 3:40 PM, Roberge, Ted <[email protected]> wrote: > Good afternoon, > > I wanted to ping the list to see if any other schools are having a problem > with the new Mac 10.7.4 update not accepting Thawte certificates that we > have on our CAM and 6 CAS's. Although we found a work around (clunky), I > am about to pop new certs on all my equipment from another provider. > > Our NAC is running Ver 4.8.2 and we are running the Macintosh NAC agent > 4.8.2.591. We downloaded a newer agent to test, but the problem doesn't > seem to be with the agent, it seems to be that Safari no longer likes our > certs. > > FYI...our quick fix: > Work-around for the OSX 10.7.4 Issue: > When the NAC Agent is malfunctioning, do this: > >Close and reopen Safari > >go to any website on Safari (not reddit) > >asks to accept certificate in safari > >click show certificate > >click trust arrow > >first drop down --> select always trust > >click continue > >log into agent (the popup login, not the browser login) > > Thoughts?? > > > "In my world of Information Technology, if you aren't moving forward, > you're moving backwards." > > Ted Roberge > Director, Information Technology > Office of Information Technology > Student Housing, University of California, Irvine > Irvine, CA 92697 > > > > > -----Original Message----- > From: Cisco Clean Access Users and Administrators [mailto: > [email protected]] On Behalf Of Tom Stachowiak > Sent: Friday, May 11, 2012 6:06 AM > To: [email protected] > Subject: Re: Microsoft Security Essentials > > Pete, > > The OPswat module is preloaded in the server then pushed down to the > clients anytime the version number changes. Each revision brings additional > supported av's as well as fixes comatibily bugs. In 4.8.2 and higher the > opswat module (shown in the CCA Console as Compliance Module) can be > upgraded indepenantly of client version, and if the cam has internet access > you can even allow the compliance module to auto upgrade if you so desire. >
