On Apr 30, 2021, at 3:07, rren...@gmail.com <rren...@gmail.com> wrote:
A few of us on MacAdmins #munki slack channel noticed that macOS 11.3 breaks mTLS client certificate authentication in Munki. Appears the client cert isn't sent (Munki gets server response 400 No required SSL certificate was sent).
--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/b3efc97c-bc5c-4c67-841c-98f97c3e938en%40googlegroups.com.
On Apr 30, 2021, at 11:19 AM, rren...@gmail.com <rren...@gmail.com> wrote:
--
Find related discussion groups here:
https://github.com/munki/munki/wiki/Discussion-Group
---
You received this message because you are subscribed to the Google Groups "munki-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to munki-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/073bf407-ad85-4fbd-8ffa-f5052b5daa1cn%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/munki-dev/AB67C878-116A-4CEC-B0BA-E7D5F2E05D1A%40gmail.com.
I can confirm that np5's PR (https://github.com/munki/munki/pull/1077) fixes the issue in macOS 11.3
I built munkitools with this branch (adding asn1crypto to code/tools/py3_requirements.txt).
managedsoftwareupdate successfully authenticated with the server using the client cert, finding the matching acceptable cert, required by the server request.
In my case it found the cert in the munki.keychain that was created by Munki (which is Munki's usual way of handling client certs from an on disk file, eg /Library/Managed Installs/certs/client.pem).
Note that the method in the PR will potentially find certs added to other keychains (the purpose of the PR), since it searches all keychains, so this opens new ways of getting certs to clients, eg MDM.
# managedsoftwareupdate -vvv
...
Getting manifest redacted...
...
URLSession_task_didReceiveChallenge_completionHandler_
Authentication challenge for Host: munki.redacted.org Realm: None AuthMethod: NSURLAuthenticationMethodClientCertificate
Client certificate required
Accepted certificate-issuing authority: Common Name: redacted CA, Organizational Unit: redacted, Organization: redacted Locality: San Diego, State/Province: California, Country: US
Found matching identity
Will attempt to authenticate
...
Retrieved manifest
If you're using client certs, please test this PR and verify it's working for your implementation, under macOS 11.3 and other OS versions.
With enough testing, hopefully we can persuade Greg to merge it into the main branch.
-rob