3 Replies Latest reply: Mar 15, 2013 10:50 AM by pbrickey RSS

    OSX Mountain Lion App store vs MWG


      At my client, there is a small smattering of Special Egg Mac users.   Unfortunately, they are reporting that the App Store for updates is ... not working through the MWG's. 


      Any tips or experiences appreciated. 


      I'm seeing some barking about swscan.apple.com and its SSL cert not matching.  Which is odd because from another IP address/computer/version of curl,  curl claims the altname of the cert matches swscan.apple.com   ... but from my proxy command line, curl -visk https://swscan.apple.com/   only sees a CN of *.isu.apple.com which of course... doesn't match.    openssl s_client -connect:swscan.apple.com | openssl x509 -txt      seems to be consistent across all the ip's and OS's I tested from, and all seem to be quite sure that the SSL cert is CN's and alt subject'd for *.isu.apple.com   and not swscan.apple.com. 


      Curious if others see issues with swscan.apple.com 's ssl cert, and/or know how if at all it figures in with this issue preventing Mountain Lion machines from pulling OS updates.   Does apple have this goofed up and is MWG doing the right thing with it?   Is it safe/necessary to pull this one into the cert whitelist?


      Thanks in advance for any shared fun wtih Apple OS X.


      on 2/27/13 12:42:08 AM CST
        • 1. Re: OSX Mountain Lion can't get updates via MWG?

          This is still unresolved (help from other people with Macs updating behind an MWG and strong egress rules still being solicited!), but I did learn several things:


          1) MWG doesn't appear to grok sites that use SSL SNI (server name identification).  http://en.wikipedia.org/wiki/Server_Name_Indication


          If you have access to a linux box or cygwin with a recent openssl ( > 1.0 )  have a look at



          openssl s_client -showcerts -servername swscan.apple.com -connect swscan.apple.com:443



               (which gives the appropriate swscan.apple.com  certificate)




          openssl s_client -showcerts -connect swscan.apple.com:443  



               (which coughs up the *.isu.apple.com wildcard certificate)


          This difference is telling.   MWG appears to ship with openssl 0.9.8.x    ... which doesn't grok SNI and its s_client lacks the -servername support.      So methinks a lot of people who have a certificate verification rule in their policy  will have to manually add a cert whitelist entry for swscan.apple.com  to work through the difference between *.isu.apple.com  and swscan.apple.com.


          2) In addition to having to manually import swscan.apple.com's SSL cert, if you're controlling POST uploads in an environment, apparently Apple wants to upload things to:

          • su.itunes.apple.com
          • *-caldav.icloud.com

          [update:  this may be a red herring -- the user with whom I was working admitting to having registered it with his personal Apple account which may have caused this communication to happen and may be unrelated to updates]



          3) And if you're blocking personal storage networks, even if icloud isn't configured mountain lion appears to want to download from

          • *keyvalueservice.icloud.com



          But I still don't have this football in the endzone.  For some reason I'm still getting blocks  from keyvalueservice.icloud.com that I'm trying to clear.


          Message was edited by: Regis on 3/5/13 5:18:53 PM CST
          • 2. Re: OSX Mountain Lion can't get updates via MWG?

            Any folks wtih Macs in their environment able to lend some insights?

            • 3. Re: OSX Mountain Lion can't get updates via MWG?

              Hi Regis,


              It also appears that the app store Mountain Lion doesn't play well with chunk encoding. Have you tried adding the proxy control to your whitelists?