03 May 2015
Apple Security Update Broke SSL
“How to repair the damage caused by Apple's 2015-004 security update”
applesslfix00

DISCLAIMER: I am by no stretch of the imagination a "Security Expert". So please bear in mind that following any advice I give on the subject is akin to placing your todger in the hands of Sweeney Todd and asking for 'Just a pubic trim, please…​'

DISCLAIMER2: In explaining this lot, I’m over-simplifying and using generic terms a lot. That’s partly because I don’t know what the feck I’m talking about. But also because this is aimed at the average user who wants to know what to do to fix their mac. I reckon if you already know a fair bit about this subject, you’ll have worked this out for yourself anyway.

However…​

Background

On 8th April 2015, Apple released a security update to OSX [Security Update 2015-004 to be precise], which was meant to fix some vulnerabilities in SSL --the system of 'authentication certificates' which prove to your computer that the various websites [and other web-based services] you are connecting to are really who they say they are --and not some spotty teenager in his foetid bedroom, pretending to be eBay, whilst trying to steal your credit card details.

Unfortunately in my case [and, as I subsequently found out, that of a lot of other people] the Security Update completely fecked my ability to connect to any kind of secure website at all, with either Safari or Chrome

[Firefox implements its own security certificate checking, rather than relying on OSX for this. So it still worked OK]

In addition, I couldn’t login to iMessage, couldn’t access the Apple App Store and couldn’t view my iCloud account details in either System Preferences or iTunes. So, quite a monumental cock-up on Apple’s part then and --judging by the tumbleweed rolling through their support forums in response to people complaining about the problem-- being dealt with by Apple in their time-honoured inimitable fashion.

applesslfix01
Apple’s QA Department, hard at work

So, like everyone else in the same boat, I was forced to do a bit of digging around to see what I could come up with to try and alleviate the situation --rather than hold my breath waiting for Apple to get off their complacent arses and fix it any time soon.I’m calling what I’ve got an "[Almost!] Fix" because, whilst I’m now able to use the web again and login to iMessage, app Store and my iCloud accounts, I’m still not able to download software updates from the App Store.

*[Which does make me wonder how the feck Apple are going to implement the fix for this when they do eventually get around to sorting it out. Bit of a Catch-22 in the making, methinks!]

UPDATE: I’m now dropping the 'Almost!' --App Store is working again now, too.

The Symptoms

Anyway, enough of the preamble. Before I help you completely break your computer, let’s just make sure that whatever problems are forcing you to plough through my turgid prose are the same ones caused by this software update:

Here [in no particular order] are some of the symptoms I experienced:

1: WEB BROWSING

Using Safari or Chrome, you are unable to connect to any websites using HTTPS. You either receive a warning or [in the case of Chrome and Twitter.com] a complete refusal to open the site:

applesslfix02
Safari doesn’t even trust Apple’s own website
applesslfix03
Chrome won’t even allow you to 'take the risk' when visiting Twitter

2: iMessage

Your iMessage account will be shown as 'Inactive' and all your contacts as 'Offline'. When you try to activate your iMessage account you are asked to login, but will not be able to do so:

iMessage shows all your contacts as 'Offline'…​

applesslfix04
Where is everybody?

…​and your account is shown as 'Inactive' --although other IM accounts, such as Jabber/Google Talk will continue to work fine.

applesslfix05
Inactive? --how rude!

If you try to 'Activate' your iMessage account, you’ll be asked to login [even if you hadn’t previously logged out]…​

applesslfix06
Let’s try logging in…​

…​however, you will not be able to login. iMessage will just throw up a really unenlightening error dialogue and ask you to check your network connections.

applesslfix07
T’ain’t me, Apple. It’s you!

2: iCloud

It’s a similar story with iCloud. Viewing the iCloud preference pane in System Preferences, it will look like you are logged in [see how it’s showing my name and a 'Sign Out' button]. However, if you click on 'Account Details'…​

applesslfix08
Check my account details…​

…​it will either time out or [as with iMessage] ask you to login, but then refuse to do so. [Sorry, forgot to screengrab this one!]

3: App Store

A familiar story again here. My screenshot below is slightly misleading as it shows content behind the dialogue. This is because I snapped it after effecting partial repairs. When the shenanigans was in full swing, there was no content at all in the App Store window, just an empty grey background.

applesslfix10
App Store has logged me out too

Needless to say, you won’t be able to login to the App Store either. You’ll either get an alert asking you to try again later, or nothing will happen at all. [Again, apologies for the lack of screenshot].

The Cause

With the abovewritten disclaimer regarding my congenital fuckwittism ringing in your ears, here’s my interpretation as to what’s gone wrong:

All these apparently unrelated problems have one thing in common --they all depend on SSL certificates to validate either the identity of the websites in question, or to secure your connection to various Apple services which require a login. And, in this particular instance, the certificates are all provided by Verisign.

Now, what seems to have happened is that, as part of the 2015-004 Security Update, Apple has somehow 'fucked up' [technical term!] the Verisign SSL certificates, so that they are no longer recognised as being valid by OSX. Therefore anything that depends on being authenticated by these certificates [ie. all the previously mentioned applications] is flagged up as being suspect --and the software in question either refuses to connect or warns you of dire consequences if you do.

The Fix

To fix this problem, you need to replace the Apple provided Verisign SSL certificates with 'proper' versions from Verisign themselves.

Let’s go!…​

. image::/grafix/applesslfix11.jpg[role=floatleft]

First of all you’ll need to remove all the corrupted / expired /damaged [delete as appropriate] Verisign SSL certificates from your computer. These live in the Keychain Access Application, which you can find in your Applications > Utilities folder. Its icon looks like a bunch of keys.

Open up Keychain Access and then:

  1. Select "All Items" in the left-hand pane.
  2. Enter "verisign" in the search box at the top.
  3. Delete [by selecting them and then pressing Backspace] the 3 or so Verisign certificates that will show up in the main pane.
applesslfix12
Keychain Access app, after deleting knackered Verisign certs.

Once again, apologies for the screengrab. I forgot to snap it before deleting the certificates that showed up in box three, which is why there’s nothing there! I think there were three, originally.

Now you need to go onto Verisign’s website and download some replacement 'Root' certificates, which you will find on this page. Click on the "Download a Root Package" link, which will download a zip file called roots.zip to your Downloads folder.

applesslfix13
Verisign website with link to download new certs.

Double-click the roots.zip file to unzip it, which will result in a folder called VeriSign Root Certificates, containing a pile of other folders, each of those containing the various Verisign security certificates themselves.

applesslfix14
What you’ll be left with, after unzipping roots.zip

These are the certificates you need to install to replace the knackered ones Apple has been peddling.

Now, at this juncture, someone who knew what the feck they were doing, would probably advise you that you just need to install one or three of these certificates to make all right with the world again. But, seeing as I’m not that guy, I just installed the whole lot, on the assumption a few extra ones wouldn’t do any harm.

To install the certificates, go through all the sub-folders in the VeriSign Root Certificates folder and drag any files ending in .pem or .cer into the pane in your Keychain Access app, from which you deleted the earlier dodgy Verisign certificates.

[NOTE: Keychain Access can be a bit picky about accepting the dropped certificates. You’ll know you’re dropping them in the 'sweet spot' if you see a red horizontal line appear in the pane, under where you’re trying to drop].

applesslfix15
Drag the .pem and .cer files into Keychain Access’s main pane

For each dropped certificate, Keychain Access will ask do you want to install the certificates to the Login Keychain or System Keychain. Use the popup at the bottom of the dialogue to choose the System Keychain each time. Thus making them available to all users of the computer.

Yes. This process is irritatingly repetitive and annoying and has actually been scientifically measured at 'Tedious Factor 6,4'.

applesslfix16
When asked, select to install to the System Keychain, each time

You’ll find that not all the certificates will 'take'. Keychain Access will spit most of them back in your stupid face but, at least in my case, 11 of them will be accepted and your Keychain Access app should now look like this

[Note: I’m still filtering by putting 'verisign' in the search box. There will be more certificates than this in total]

applesslfix17
Not all the certs will 'stick' but 11 of them will be accepted

And that’s it. You can now quit Keychain Access and see if all this has done any good.

The Outcome

OK. Let’s try revisiting a few of those recalcitrant websites and applications:

1: HTTPS websites

applesslfix18
Chrome likes Twitter again

1: iMessage

applesslfix19
Can we login?…​
applesslfix20
Yes, we can!

1: iCloud

applesslfix21
Can we login?…​
applesslfix22
Yes, we can!

The job is a veritable "Good 'un"! Well, almost …​the only fly in the ointment is the App Store. Although it seems to be back in business, showing me the latest crap I can buy and advising me of pending updates, any attempt to download anything times out…​

UPDATE: Would you believe it! While writing this up and grabbing the various screenshots required, I’ve just tried the App Store again and it successfully downloaded a pending update.

applesslfix23
App Store successfully updated an app

WooHoo! --so it’s complete success now. You gotta admit me and the 'Magic Computer Fixing Pixies' make a great team, don’t we?

Well, that’s all folks. Hope this helps some of you out. Get it done quick before someone with brains comes on here and spoils everything by pointing out why this is the stupidest thing to do in the history of stuposity!

Meta

TAGS: applesecurityupdatesslhttpsbrokenrepaircertverisign

ORIGINAL PUBLICATION DATE: 03 May 2015

AUTHOR: stíobhart matulevicz

LAST MODIFIED: 25 Apr 2020  — REASON: "extract asciidoc preamble into separate file and include it"

Back to Top