Safari 4.0.4, certification chain and resigned roots
We have noticed that 4.0.4 (and probably older and more recent versions) performs an all too strict comparison of the certifications chains containing the root.Instead of simply checking the trustworthiness of the root, Safari also checks if the root presented is the same than the one it has in stock. But it can be problematic with resigned root certificate (such as MD2 at SHA1, see VeriSign Class 3 Public Primary Certification Authority v2009).
Troubleshooting: remove the root of the certification chain from the server. Safari will then only check the trustworthiness of the root and won't perform a raw comparison.
Last edited on 07/26/2012 07:17:13 --- [search]