I will report back if it continues to work.If you sync your iCloud Passwords with Windows, Apple’s new, dedicated iCloud Passwords app is going to give you some much-needed new abilities. Has anyone tried the same thing with the portal firewall? You can connect securely to anything.Īnyone else have anyhting to add. It didn't The settings were set correctly to off but once the keychain is pooched, that's it. They are there for a very good reason.īy the way in my previous post I was going to try turning them off at the command line when the keychain would not load to see if it would help? Once that is done and things work as they should remember to make sure you turn on OSCP and CRL checks. Once that is done AND the firewall allows OSCP and CRL checks then it all seems to work as designed. You will of course have to go through the whole reboot to recovery mode and fix drive and permissions to get the keychain access back and delete the unkown cert. Once I had our wireless networking admin add in the exceptions for our portals' certificate status (they can find them in the certificates themselves), then everything seems to work. When you launch it you get the beachball. What I see hapening is after this, a certificate shows up in the login keychain called "unkown". If it blocks these attempts, Lion thinks it is a hijack and will not go on the net. What needs to be done at the portal is to make acceptions in the firewall to allow the machines to get out to whatever CRL and OSCP sites needed to verify the status or revokation of the certificates being handed out by the portal itself. If you turn off the checks that seems to work but htat is a bad idea. If you are using a coptive portal to get to the internet is breaks because it cannot check for the certificate revokation. Having to set machines to not check for revokation of certificates seems like one more step closer to just throwing put the whole trusted certificate idea as a usable security method. I will report back any success or failure as a workaround for this method. I have our network security people looking into allowing the certificate checks for our systems to go even from the captive portal. We are seeing a continual stream of students coming into our HelpDesk with this problem and the fixes above only work for a short period of time. The next time my test machine beachballs while trying to launch Keychain access, I am going to try this as a quick workaround myself.
You can set these values in the command line using the following:ĭefaults write CRLStyle -string OFFĭefaults write OCSPStyle -string OFF If the issuer is on the internet and you are stuck in a captive portal then how can you check? I think Lion is getting into a catch 22 here. The two settings, OSCP and CRL are both methods to make sure a certificate is still valid and should be trusted by checking up the chain to the issuer.
However, it is not ideal because it stops the Keychain from checking whether or not a certificate has been expired or revoked. We are finding the same solution seems to work for the time being with our systems at the University I work at. Can someone offer instructions for everyone? PPS Turning off OCSP and CRL through the terminal may be possible, bypassing the tedium of getting keychain access open. PS Can someone explain the dangers of having both OCSP and CRL set to off? It is surely a security risk and therefore only a temporary fix to get you to highly trusted sites. Now try connecting to the internet, as this resolved the issue for me. Once you have it open, go to preferences. Bacially keep trying until you can get it open, you ought to eventually strike. On one occassion it opened after a restart on my first attempt to open it, the second time I managed to get it open I had no browsers open but was using Excel 08 (after trying a few minutes earlier to open it with no success). I'm afraid my solution involved getting keychain access open. Attempting to open keychain access only resulted in the spinning wheel. I was having this same problem, my university network (through ethernet) wasn't connecting, and nor was my home wifi network.
0 kommentar(er)
