hoakley October 4, 2021 Macs, Technology

How Safari 15 checks a secure connection

To understand why current versions of Safari appear to be having problems connecting to some sites, particularly those affected by the recent Let’s Encrypt certificate changes, I’ve been exploring what’s recorded in the Unified log. This article casts more light on the checks which Safari runs, and how they can fail. For this, I’m using Safari 15.0 (16612.1.29.41.4, 16612) running on macOS 11.6 (20G165).

All that I did was to press the Return key to connect Safari to a site known to be using Let’s Encrypt certificates which had previously been rejected. Log entries are given with the time in seconds at the start, followed by the relevant process or subsystem name, and the message. I have edited out thousands of other messages which aren’t directly relevant.

The first entry records the keypress being sent to Safari to handle, following which one of the responses is to create a network task through App Transport Security (ATS), which becomes connection 41, for which TLS is enabled.
0.631303 Safari AppKit sendAction: 0.636017 ATS com.apple.WebKit.Networking CFNetwork Task <6E5C8F63-3126-4223-8B4E-AF80B0F54927>.<1> {strength 0, tls 4, ct 0, sub 0, sig 1, ciphers 0, bundle 1, builtin 0} 0.636655 com.apple.WebKit.Networking libnetwork.dylib nw_connection_create_with_id [C41] create connection to Hostname#b1c3128f:443 0.636661 CFNetwork Connection 41: enabling TLS 0.636662 CFNetwork Connection 41: starting, TC(0x0)

About 0.03 seconds after the keypress, Safari Safe Browsing looks up the URL I had entered, to check whether it’s a blacklisted site.
0.666825 SafariSafeBrowsing Look up a url 0.666972 SafariSafeBrowsing Send GetSafeBrowsingEnabledState message to safe browsing service 0.668560 SafariSafeBrowsing Receive GetSafeBrowsingEnabledState response from safe browsing service 0.668582 SafariSafeBrowsing Send GetDatabases message to safe browsing service with protection type 1 0.668605 SafariSafeBrowsing Already waiting for GetDatabases response with protection type 1 0.668641 SafariSafeBrowsing Received GetDatabases message with protection type 1 0.668675 SafariSafeBrowsing Send GetDatabases reply with protection type 1 0.668700 SafariSafeBrowsing Receive GetDatabases response from safe browsing service with protection type: 1 0.668701 SafariSafeBrowsing Receive GetDatabases response from safe browsing service 0.668748 SafariSafeBrowsing Perform url lookup in the database 0.668881 SafariSafeBrowsing There are no matches in databases with given url
It’s interesting to note the time delays involved here: the first response took around 0.0015 seconds, and GetDatabases messages were responded to in around 0.0001 seconds, implying that these are local and not remote lookups.

Safari also uses machine learning to determine whether sites are likely to be part of a phishing attack, a result which is reported in the log.
0.697267 MLPhishing Safari SafariSharedUI Classified URL <private> as LikelyNotPhishing

macOS uses an open source derivative of OpenSSL named BoringSSL to handle its TLS connections. At this stage, the server certificate is obtained and verified before calling for its trust evaluation.
0.779674 libboringssl.dylib boringssl_context_info_handler(1873) [C41.1:2][0x7fcd7a23e730] Client handshake state: TLS client read_server_certificate 0.779695 libboringssl.dylib boringssl_context_info_handler(1873) [C41.1:2][0x7fcd7a23e730] Client handshake state: TLS client read_certificate_status 0.779696 libboringssl.dylib boringssl_context_info_handler(1873) [C41.1:2][0x7fcd7a23e730] Client handshake state: TLS client verify_server_certificate 0.779786 libboringssl.dylib boringssl_context_evaluate_trust_async(1547) [C41.1:2][0x7fcd7a23e730] Performing external trust evaluation 0.779813 libboringssl.dylib boringssl_context_evaluate_trust_async_external(1532) [C41.1:2][0x7fcd7a23e730] Asyncing for external verify block 0.779815 libboringssl.dylib boringssl_session_handshake_incomplete(96) [C41.1:2][0x7fcd7a23e730] Handshake incomplete: certificate evaluation result pending [16]

Strict trust evaluation, performed by trustd the macOS certificate trust evaluation service, finds a problem with the TemporalValidity not of the server (leaf) certificate, but in its chain of trust. Note that there’s no evidence that those certificates are downloaded.
0.779840 CFNetwork Connection 41: asked to evaluate TLS Trust 0.779990 Security SecTrustEvaluateIfNecessaryFastAsync 0.780573 trustd cert[1]: TemporalValidity =(leaf)[]> 0 0.780575 trustd Security SecItemCopyParentCertificates_ios 0.801844 trustd cert[1]: TemporalValidity =(leaf)[]> 0 0.802065 trustd cert[2]: TemporalValidity =(leaf)[]> 0 0.802136 trustd Security SecItemCopyParentCertificates_ios 0.804712 trustd cert[1]: TemporalValidity =(leaf)[]> 0 0.804718 trustd cert[2]: TemporalValidity =(leaf)[]> 0 0.804731 trustd cert[1]: TemporalValidity =(leaf)[]> 0 0.804784 trustd cert[1]: TemporalValidity =(path)[]> 0 0.804786 trustd cert[2]: TemporalValidity =(path)[]> 0 0.805392 Security Trust evaluate failure: [ca1 TemporalValidity] [root TemporalValidity] 0.805394 CFNetwork StrictTrustEvaluate failed 0.805490 Security Trust evaluate failure: [ca1 TemporalValidity] [root TemporalValidity] 0.806455 Security Trust evaluate failure: [ca1 TemporalValidity] [root TemporalValidity]

This is reported as an error with the code -9814, officially errSSLCertExpired, which is reported upward as code -1202, kCFURLErrorServerCertificateUntrusted.
0.806476 CFNetwork Connection 41: default TLS Trust evaluation failed(-9814) 0.806476 CFNetwork Connection 41: TLS Trust result -9814 0.806477 CFNetwork Connection 41: TLS Trust encountered error 3:-9814 0.806477 CFNetwork Connection 41: encountered error(3:-9814) 0.806478 CFNetwork Connection 41: cleaning up 0.806566 CFNetwork Connection 41: unable to determine interface type without an established connection 0.806610 CFNetwork Task <6E5C8F63-3126-4223-8B4E-AF80B0F54927>.<1> can retry(N) with reason(2) for error [3:-9814] 0.806614 CFNetwork Task <6E5C8F63-3126-4223-8B4E-AF80B0F54927>.<1> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814]) 0.806637 CFNetwork Task <6E5C8F63-3126-4223-8B4E-AF80B0F54927>.<1> summary for task failure {transaction_duration_ms=170, response_status=0, connection=41, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, response_bytes=0, cache_hit=0} 0.806638 libboringssl.dylib boringssl_context_evaluate_trust_async_external_block_invoke(1520) [C41.1:2][0x7fcd7a23e730] Cancelled during verify block 0.806653 libnetwork.dylib [C41 Hostname#b1c3128f:443 tcp, bundle id: com.apple.Safari, pid: 9933, account id: 408aa850, url hash: 58ae3951, tls] dealloc 0.806660 CFNetwork Connection 41: done 0.806790 SymptomEvaluator [0.000] 9936 com.apple.WebKi (null) SYMPTOM_CERT_ERROR cfnet 00000003 ffffffffffffd9aa 00000027 00000001 0.806824 SymptomEvaluator CERT_ERROR from com.apple.WebKi, domain 3 error -9814 num attempts 39 num symptoms 1 0.806825 SymptomEvaluator Remove cert error from history: too old, retain time 60 0.806828 SymptomEvaluator Remove cert error from history: too old, retain time 60 0.806830 SymptomEvaluator evaluate gives null, count 1 while threshold 3
That’s the first of three attempts to evaluate the server’s certificate.

Second and third attempts end in the same error.
0.923955 CFNetwork Connection 42: asked to evaluate TLS Trust 0.927388 CFNetwork Connection 42: default TLS Trust evaluation failed(-9814) 0.927756 SymptomEvaluator evaluate gives null, count 2 while threshold 3

Faced with that, Safari then displays the certificate error to the user.
0.984727 JavaScriptCore Displayed certificate error with error code: -1202

brokencerts05

The certificate information provided by Safari on that Mac showed it was the intermediate certificate which had already expired, a day before the Root did. However, as I have already recorded, connecting to exactly same site using Safari 15 on Monterey beta resulted in success, with the certificate information reporting the updated certificates, neither of which had expired.

brokencerts09

As far as I can see, the only explanation consistent with these logs and the observations on the two systems running side-by-side on the same network is that the Big Sur system obtained its intermediate and root certificate information locally, from a cache or database which hadn’t been updated for the new certificates, while the Monterey system obtained fresh certificate information which did reflect the changes.

I welcome alternative explanations, provided that those too fit these facts.

18Comments

Add yours

1

kapitainsky on October 4, 2021 at 7:02 am

I think your conclusions are correct. I have two different Big Sur laptops (both fully updated and running Safari 15). The one I use Safari extensively fails on your example – https://www.chimet.co.uk. But the other one where pretty much I never used Safari has no issue showing this website.

LikeLiked by 1 person
- 2
  
  hoakley on October 4, 2021 at 10:33 pm
  
  Thank you.
  Others are reporting the same with other affected sites too.
  Howard.
  
  LikeLike
3

fds on October 4, 2021 at 7:25 am

You’ve got the final conclusion reversed, as I’ve already noted in a comment yesterday.
You can go ahead and see the certificates the misconfigured site sends you:
openssl s_client -showcerts -connect http://www.chimet.co.uk:443

This openssl command most assuredly has no caching facility, and will always get everything live.
You can see that it wrongly serves the old, outdated intermediate certificate, one that should have no hope of working. And if only the administrators of that server wouldn’t have messed up their Let’s Encrypt automated updates, would have been replaced many months ago without any human intervention.

1 s:C = US, O = Let’s Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
—–BEGIN CERTIFICATE—–
…
—–END CERTIFICATE—–

You can save it into a file named something.pem, then Quick Look it to peek at the details in the same kind of friendly GUI familiar from Safari.
This one is hopeless on two counts: for once, it itself has expired on September 29, and is solely signed by the DST Root CA X3 root certificate as the issuer, which itself has also expired September 30.

Now do the same experiment on a server that is properly set up – your own blog, or letsencrypt.org.

1 s:C = US, O = Let’s Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
—–BEGIN CERTIFICATE—–
…
—–END CERTIFICATE—–

You can see they also serve the R3 intermediate certificate, but this one is updated. It will only expire in 2025, and it is issued by the ISRG Root X1, Let’s Encrypt’s own Root CA, which you can verify in Keychain Access’s System Roots that it is already preinstalled and trusted on any non-obsolete Mac, and will only expire in 2035.
All great!

But wait– you might notice there’s also a third certificate being served now on servers that got properly updated (eclecticlight.co, letsencrypt.org, etc): the ISRG Root X1 itself, with a cross-signature from the old DST Root CA X3. What’s the point, you might rightly wonder, since that DST root has expired? It’s a funky workaround they’ve found to extend an additional lifeline to obsolete Android devices. Those only trust the DST Root X3, and not include the ISRG Root, but also uniquely don’t care if any root certificate in their system store has expired.
You can simply ignore it, same as your modern macOS will.
(Let’s Encrypt also now offers an option for their automated certificate update system to opt out of including this Android workaround on your servers.)

Now back to your current Macs.

We can see that your Big Sur system is working exactly as expected, retrieving what’s currently getting served on that http://www.chimet.co.uk server, and popping up the expected error as a result. No caches to expunge, this one is actually going by what is provided by the server currently.

Then that Monterey system, unexpectedly proceeding, and letting the site load: the only explanation for that is if it has somehow cached, or has installed the proper, updated R3 intermediate certificate from someplace else, since chimet is definitely not supplying it.

LikeLiked by 2 people
- 4
  
  kapitainsky on October 4, 2021 at 7:43 am
  
  I did few more tests.
  This website fails on my macOS on all browsers but Firefox.
  It works with any browser on Windows.
  It works with any browser on Open BSD.
  It works on fresh macOS installation – I tested using VMware images- I tried High Sierra, Mojave, Catalina and Big Sur
  
  LikeLiked by 1 person
- 5
  
  hoakley on October 4, 2021 at 10:47 pm
  
  Thank you.
  How then do you explain the observation that’s now being reported quite widely that freshly installed recent versions of macOS, including Big Sur, often appear able to connect to that canonical example and other affected sites without error, while systems which have seen a lot of browsing history (like my iMac Pro) are unable to because of errors?
  Howard.
  
  LikeLike
6

FourCandles on October 4, 2021 at 10:43 am

Interestingly there are 2 paths for validation:

https://www.ssllabs.com/ssltest/analyze.html?d=www.chimet.co.uk

One uses the server-supplied intermediate R3 cert (which is not valid – expired) and the other uses a downloaded intermediate R3 which is valid and tied to a different root, as discussed above.

This may explain the inconsistency with different systems on the same network. One system is not configured to try the extra download while the other system is configured to do so.

This means there is no caching of incorrect certs, but rather the systems that show a valid chain of certs is allowing the correct intermediate to be downloaded and used to validate the leaf cert.

LikeLiked by 2 people
- 7
  
  kapitainsky on October 4, 2021 at 11:26 am
  
  actually it would also point into some sort of caching. In case of the same Safari browser on the same macOS version I can produce different results. It looks like one Safari used validation path 1 before when it was OK and when it is invalid now it fails. But another one never used path 1 – so uses path 2 and displays this website without any issus.
  
  LikeLiked by 1 person
  - 8
    
    hoakley on October 4, 2021 at 10:51 pm
    
    I agree.
    I think this is rather more complex than it might appear.
    So today instead of immersing myself in this craziness, I spent much of the day with the more rational Don Quixote!
    Howard.
    
    LikeLiked by 1 person
- 9
  
  hoakley on October 4, 2021 at 10:49 pm
  
  Thank you.
  That’s an option available in manual trust evaluation in macOS, but apparently isn’t used in this particular situation.
  Howard.
  
  LikeLike
10

kapitainsky on October 5, 2021 at 12:27 pm

BTW – https://www.chimet.co.uk guys reissued their letsencrypt cert and now its certification path is 100% valid – https://www.ssllabs.com/ssltest/analyze.html?d=www.chimet.co.uk

At least problem solved for their customers.

But the question remains regarding Safari behaviour. For me the lesson is to always have Firefox installed – and actually use it more.

LikeLiked by 1 person
- 11
  
  hoakley on October 5, 2021 at 5:42 pm
  
  Thank you. Yes, I noticed that last night, and it comes with a new leaf certificate too.
  As I hope the logs above show, this isn’t Safari, but macOS. While Firefox’s circumvention of that system-level protection can be useful at times, it could also expose the user to greater risk. You make the choice!
  Howard.
  
  LikeLiked by 1 person
  - 12
    
    kapitainsky on October 6, 2021 at 5:13 pm
    
    Yes this is user choice. Firefox is using its own certs store – independent from OS one. Now what is more trusted – close sourced Apple software or Open Source Firefox is something debated by many. There is no clean answer here.
    
    LikeLiked by 1 person
    - 13
      
      hoakley on October 6, 2021 at 9:29 pm
      
      Well, in fairness to Apple they document their root certificates very clearly. What I don’t understand is how Firefox seems content to accept an expired intermediate certificate, which just doesn’t seem to be the protection that I’d expect from my main browser, open source or not. Indeed, when it comes to open source, I think you’ll find that Safari is almost as good as Firefox in that respect, but it isn’t the browser that’s generating the validation error here either.
      Howard.
      
      LikeLiked by 1 person
    - 14
      
      kapitainsky on October 7, 2021 at 5:26 am
      
      Firefox never accepted expired certificate. Chimet website certificate had two certification paths and one was always valid. Problem is with Safari/macOS logic what to do when previously valid path becomes invalid e.g. when leaf certificate expires. Firefox it looks just checks available second one when Safari does not unless (e.g. fresh macOS installation) the first one was never seen before.
      
      LikeLiked by 1 person
    - 15
      
      hoakley on October 7, 2021 at 5:53 am
      
      Thank you.
      Firefox gives the server the benefit of the doubt. It assumes that serving an expired intermediate certificate is an error, so checks the intermediate certificate directly. That’s not as strict as macOS, which says that if a server provides an expired intermediate certificate, the leaf isn’t valid, and I think that was what was happening with my canonical example on my well-used system.
      I think we know that caching was also involved, from our tests on ‘fresh’ systems, but I’m still not sure how big a role that played on modern macOS. As the caching is largely opaque, and I didn’t have the tools to assess it, we can’t make any assumptions about it.
      Howard.
      
      LikeLike
16

Tony on October 5, 2021 at 4:36 pm

A bit off-topic I know but… all this logging worries me a bit. The list of log entries above seems appropriate for the programmer debugging Safari but excessive for a live system. Shouldn’t they turn off some of it in a shipping product (or, indeed, don’t they have sufficient confidence to turn it off)? The performance impact is likely negligible but there is still a ‘not see the wood for the trees’ angle.

I also wonder about the impact on SSD storage: should we be concerned about consumption of its limited number of write cycles? I have never seen a wholly satisfactory value for the life of an SSD so can’t hazard a guess at the impact but this does look like a process that’s going hell for leather to write transient data.

Can you reassure me?

LikeLiked by 1 person
- 17
  
  hoakley on October 5, 2021 at 5:49 pm
  
  Thank you.
  Well, if Apple did turn it off (or the volume down), we wouldn’t know a great deal more about macOS, so in the long run we would be the losers.
  It ensures that when you send a sysdiagnose to Apple, they get plenty of log entries to work with, which should make identifying bugs and other problems much easier for the engineers.
  The cost is low: the log system has negligible impact on performance, and the log files are in compressed binary, so probably account for around 1 GB of storage used each month on a heavily-used Mac. logd does the housekeeping to ensure that at any moment the log files are modest in size, although that does shorten the duration of full records available at any moment. Transient log entries aren’t written to storage, but held in memory.
  The sadness is that Apple doesn’t yet provide any really good tool for users to access this treasure trove of information.
  Howard.
  
  LikeLike
18

Michael Tsai - Blog - Some Web Sites Will Stop Working With El Capitan and Older on February 17, 2022 at 2:26 pm

[…] Howard Oakley: […]

LikeLike

·Comments are closed.

Share this:

Related