Our certificates are 2048 bits and we are still experiencing this problem. Once I solve my other CCA TAC case and get a machine I can test from, I will open a new case for this issue. -Jason
Jason Meador Network Engineer Santa Clara University 408-551-1847 (desk) [email protected]>>> "Young, Jay" <[email protected]> 5/15/2012 9:22 AM >>> Just a note on this we have a few mac users affected. I just updated Safari to 5.1.7, removed my trust for the NAC cert and the agent started working again. We haven't tested for other users yet so I'm not positive this was the fix. Jay On May 15, 2012, at 11:50 AM, Javier Henderson wrote: > Good find. Though note that the release note mentions "less than 1024 bits". > I wonder if that is a typo and they meant "1024 bits or less". > > Javier Henderson > [email protected] > +1 919 574 5032 > > On May 15, 2012, at 11:12 AM, Mike King <[email protected]> wrote: > >> I did find a reference to this being a bug fix in 10.7.4 >> >> Lots of companies are deprecating certificate support for certificates that >> are less than 2048bit. I wonder if Apple has just handled this really >> bad.(IE, 1024 and less, unlike the description below) >> >> libsecurity >> >> Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to >> v10.7.3, OS X Lion Server v10.7 to v10.7.3 >> >> Impact: Support for X.509 certificates with insecure-length RSA keys may >> expose users to spoofing and information disclosure >> >> Description: Certificates signed using RSA keys with insecure key lengths >> were accepted by libsecurity. This issue is addressed by rejecting >> certificates containing RSA keys less than 1024 bits. >> >> CVE-ID >> >> CVE-2012-0655 -- Jay Young Sr Network Engineer Office of the Chief Information Officer The Ohio State University 614.292.7350
