Big Sur 11.3 breaks mTLS client certificate authentication in Munki

411 views
Skip to first unread message

rren...@gmail.com

unread,
Apr 29, 2021, 2:07:09 PM4/29/21
to munki-dev
A few of us on MacAdmins #munki slack channel noticed that macOS 11.3 breaks mTLS client certificate authentication in Munki. Appears the client cert isn't sent (Munki gets server response 400 No required SSL certificate was sent).

Does anyone have an instance where client certs are working under macOS 11.3? 

Output from managedsoftwarepdate -vvv looks similar to a pre-11.3 session that works fine -- it shows the same code path with  URLSession_task_didReceiveChallenge_completionHandler_ callbacks, and AuthMethod: NSURLAuthenticationMethodClientCertificate, followed by Allowing OS to handle authentication request.

In trying to grok the Munki gurl.py code, this seems to imply that something has changed in the behavior of NSURLSessionAuthChallengePerformDefaultHandling under 11.3 or something in the Munki keychain and identity preference setup isn't utilized, or some other issue.

Any ideas for additional debug steps or code modifications we can try to fix this problem?

Allister Banks

unread,
Apr 30, 2021, 12:56:52 AM4/30/21
to munk...@googlegroups.com
 mTLS certs are not in munki’s Main branch, are you running a fork? Did you build and push code only available in the PR np5 sent?
Allister

On Apr 30, 2021, at 3:07, rren...@gmail.com <rren...@gmail.com> wrote:

A few of us on MacAdmins #munki slack channel noticed that macOS 11.3 breaks mTLS client certificate authentication in Munki. Appears the client cert isn't sent (Munki gets server response 400 No required SSL certificate was sent).
--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/b3efc97c-bc5c-4c67-841c-98f97c3e938en%40googlegroups.com.

rren...@gmail.com

unread,
Apr 30, 2021, 12:19:12 PM4/30/21
to munki-dev
The np5 PR uses a somewhat different tack than Munki's current method to handle mTLS certs.

Currently, Munki responds to the NSURLAuthenticationChallenge for NSURLAuthenticationMethodClientCertificate by falling back and allowing the default system handling to proceed, which prior to macOS 11.3 worked. Munki would first setup for the default handling by creating a Munki.keychain containing the client cert and private key, and identity preference for the server URL, and add this to the keychain search path. With this method, it's up to the OS to do the right thing. Something in this technique no longer works with macOS 11.3.

The np5 PR explicitly handles the NSURLAuthenticationMethodClientCertificate challenge by searching the keychains for a certificate that matches the accepted certificate-issuing authority from the client cert request sent by the server. If it finds a match, it uses this certificate to authenticate as the identity reference returned with NSURLSessionAuthChallengeUseCredential.

I'm hoping this PR gets around the issue with macOS 11.3. I'll need to build it and test, and suggest others do as well.


-rob

Matt Childress

unread,
Apr 30, 2021, 12:42:37 PM4/30/21
to munk...@googlegroups.com
The “ Something in this technique no longer works with macOS 11.3.” is outlined here:

https://www.reddit.com/r/macsysadmin/comments/n0q9d3/installing_ca_certs/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

TL;DR — Apple tightened up security, now that particular format of the security command in munki is now behind MDM/user auth.  

Added to the GitHub problem tracker. 

M@
Sent from my iThneed

On Apr 30, 2021, at 11:19 AM, rren...@gmail.com <rren...@gmail.com> wrote:


--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.

Gregory Neagle

unread,
Apr 30, 2021, 1:33:31 PM4/30/21
to munki-dev
I don't think that's the same thing. Using the `security` command to add trusted certs to the System keychain stopped working with macOS 11.0. 

Something _new_ has changed around ClientCertificate challenges in macOS 11.3.

-Greg

Rob Renstrom

unread,
Apr 30, 2021, 2:55:11 PM4/30/21
to munki-dev

I can confirm that np5's PR (https://github.com/munki/munki/pull/1077) fixes the issue in macOS 11.3  

I built munkitools with this branch (adding asn1crypto to code/tools/py3_requirements.txt).

managedsoftwareupdate successfully authenticated with the server using the client cert, finding the matching acceptable cert, required by the server request. 

In my case it found the cert in the munki.keychain that was created by Munki (which is Munki's usual way of handling client certs from an on disk file, eg /Library/Managed Installs/certs/client.pem).  

Note that the method in the PR will potentially find certs added to other keychains (the purpose of the PR), since it searches all keychains, so this opens new ways of getting certs to clients, eg MDM.

# managedsoftwareupdate -vvv

...

Getting manifest redacted...

...

URLSession_task_didReceiveChallenge_completionHandler_

Authentication challenge for Host: munki.redacted.org Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate

Client certificate required

Accepted certificate-issuing authority: Common Name: redacted CA, Organizational Unit: redacted, Organization: redacted Locality: San Diego, State/Province: California, Country: US

Found matching identity

Will attempt to authenticate

...

Retrieved manifest 


If you're using client certs, please test this PR and verify it's working for your implementation,  under macOS 11.3 and other OS versions. 

With enough testing, hopefully we can persuade Greg to merge it into the main branch.

-rob

Gaute Helfjord

unread,
May 3, 2021, 5:49:55 AM5/3/21
to munki-dev
Built and tested, and can confirm it works for our implementation under 11.3, but also previous versions of Big Sur, Catalina, Mojave and High Sierra, 

Gaute
Reply all
Reply to author
Forward
0 new messages