Mac OS X Lion 10.7.2 update breaks SSL




After updating from 10.7.1 to 10.7.2, neither Safari nor Google Chrome can load GMail. Spinning Beachballs all around.

The problem isn't GMail; Firefox loads GMail just fine.

The problem isn't limited to Safari or Google Chrome; Other applications also have trouble with SSL: Gilgamesh and Safari. Any program that uses WebKit (Google Chrome, Safari) or a Cocoa library (Gilgamesh) to access the Internet has trouble loading secure sites.

The various forums online suggest a handful of fixes, none of which work.


Fix #1: Open Keychain and delete the Unknown certificate.

The 10.7.2 update also prevents Keychain Access from loading. The Keychain program itself Spinning Beachballs.

Fix #2: Delete ~/Library/Keychains/login.keychain and /Library/Keychains/System.keychain.

This temporarily resolves the issue, and lets you load secure sites, but a minute or two after rebooting or hibernating somehow magically undoes the fix, so you have to delete these files over and over.

Fix #3: Delete ~/Library/Application\ Support/Mob* and /Library/Application\ Support/Mob*.

There is a rumor that the new MobileMe/iCloud service ubd is causing the issue. This fix does not resolve the issue.

Fix #4: Open Keychain Access, open the Preferences, and disable OCSP and CRL.

This fix does not resolve the issue.

Fix #5: Use the 10.7.0 -> 10.7.2 combo installer, rather than the 10.7.1 -> 10.7.2 installer.

When I run the combo installer, it stays forever at the "Validating Packages..." screen. The combo installer itself is bugged to He||.

I force-quit the installer, ran "sudo killall installd" to force-quit the background installer process, and reran the combo installer.

Same problem: it stalls at "Validing Packages..."


The only fix that works is deleting the keychains, but you have to do this every time you reboot or wake from hibernate. There is some evidence that ubd continually corrupts the keychain files, but the suggested ubd fix of deleting ~/Library/Application\ Support/Mob* and /Library/Application\ Support/Mob* does not resolve this issue.

Evidently, something is corrupting the keychain over and over and over.

Also posted on the Apple Support Communities.


Posted 2011-10-23T22:19:23.573

Reputation: 2 696

some problem here on my MacBookPro and my iMac27, but it only occurs when I'm activating WiFi. As long as I work only over LAN everything is fine. Have to stay with 10.7.0 as long as this problem is not solved :-( – Thomas Hübner – 2011-10-24T08:14:17.290

Not trying to "me too" here, but gmail works fine for me in 10.7.2 and safari 5.1.2. What kind of add-ons are you running in Safari? Glims, click2flash, etc? – skub – 2012-01-16T23:46:25.063

Is this fixed in 10.7.3? – Tyilo – 2012-02-08T03:39:45.030



Our Mac support person has had success running DiskWarrior to fix the problem. None of his customers have reported the issue popping back up so far.


I've figured out a fix. The issue is happening because the captive portal replies to EVERYTHING. I adjusted the captive portal's DNS to give bad results for OCSP and CRL sites. I used in this case. The requests now timeout instead of giving back incorrect data. It also works locally by changing "/private/etc/hosts" and adding entries like this:

The correct entries may depend on the CA for the certificate. I found these addresses while watching the connection using Wireshark.


Posted 2011-10-23T22:19:23.573

Reputation: 2 109

Would Disk Utility or Onyx help, or does it have to be DiskWarrior? – mcandre – 2011-10-26T17:26:52.403

@mcandre We are still trying to figured out what DiskWarrior does to fix the problem. It isn't obvious from the log files it produces. – Joseph – 2011-10-26T18:23:56.677


Might I add that MobileMe is now iCloud so the folder is not Application Support/Mobi*, but rather Application Support/Ubiquity.

Delete that, though I had mixed results. It only worked 1/3 times. The way that definitely works is deleting:

~/Library/Keychains/login.keychain and /Library/Keychains/System.keychain

Just rinse and repeat. I'm not completely certain when the Keychain Access will break, but at some point (typically about 3 days in for me) everything stops working.

Firefox seems to get around things and if you don't want to do anything at all, you can turn off OCSP in Firefox (about:config) just to login to your wireless portal, and then remember to turn it back on. This won't fix Safari or Chrome though (what's the word on Opera?)

But the best solution is to restore to 10.7.1 or 10.7. I happened to have the DMG file from earlier and it was 10.7.1. Doing a "reinstall" only copies your Lion system files over and keeps your entire install in shape. So you're really just reinstalling the OS but keeping ALL your apps and data. So far this has been perfect. Just remember not to update to 10.7.2 if you're going to roll back.


Posted 2011-10-23T22:19:23.573

Reputation: 21

SSL sites that did not work for me with Safari or Chrome worked for me with Firefox, just by using that browser instead. – RyanWilcox – 2011-11-18T21:50:07.057

It's because Firefox uses a different authentication method than Safari or Chrome. However it's not 100% reliable for me on 10.7.2. Sometimes I can bring up the login page for my captive portal at school. Other times I can't. The safest way is to roll back to 10.7.1. I've been on 10.7.1 for about 3 weeks now compared to 1+ month with 10.7.2 and it's night and day. No more constant rebooting and deleting files to get stuff to work. Let's hope 10.7.3 fixes things. – qwerasdf – 2011-11-28T09:12:36.620


Turning Off OCSP and CRL checks is avery bad idea. Essentially you are saying you don't care about certificate revocation. This is not good given the number of certificate authorities getting hacked these days. It is why apple upgraded it's security for captive portals. The problem is in the captive portal connection itself. If you go to one, you cannot check for CRL or OCSP because (duh!) you are in the captive portal. Whomever provides this portal, must also poke holes in their firewall to allow you out from the captive portal to check the certificates that the https captive portal page is giving you. We had to do this on our enterprise wireless system before Lion could get anywhere.


Posted 2011-10-23T22:19:23.573

Reputation: 11


After weeks of frustration with this constantly recurring problem (and waiting for Apple to release a fix), I decided to look for any solution that would rollback from the 10.7.2 update. Unfortunately I didn't find any way of doing a rollback to 10.7.1 or 10.7.0.

I therefore decided to use the Lion Recovery and see how it affects the situation. I performed the recovery procedure by following the steps outlined in this Apple support article.

I'm happy to inform now that in my case, the problem has (hopefully) disappeared! For some reason, even though the Lion Recovery process reinstalled OS X back to the 10.7.2 version, I haven't had any problems with Keychain or SSL for over a week now.

I used the online recovery mode and it seems that the OS X version that is downloaded during the recovery process does have some sort of setup that doesn't corrupt the keychain. The Lion Recovery process was super smooth and I did not have to reinstall any apps or recover files from backup (I would still recommend doing backups). My MacBook Pro is version 5,1.

This is the first time for me that Apple's security update has broken OS X in such a big way. I still wonder why they haven't released a fix/update to correct this issue.

Pyry Liukas

Posted 2011-10-23T22:19:23.573

Reputation: 111

Update: Lion Recovery does not provide a permanent fix. I was able to use Safari/Chrome for few weeks when the problem reoccurred. So I'm sad to report that this doesn't provide a permanent fix as I hoped :( – Pyry Liukas – 2011-12-14T07:54:00.800


In my experience this happens only when connecting behind a captive portal. I think the reason is that the operating system tries to validate the certificate of the captive portal's login page, but the validation process requires internet access. I was able to fix this problem by manually adding the certificate of the captive portal page to the keychain and marking it as always trust.

You can export the certificate with the following steps:

  1. Visit the captive portal page in Firefox
  2. Select Tools > Page Info > Security > View Certificate > Details > Export
  3. Save the certificate to your hard drive with the extension ".crt"

You can import the certificate with the following steps:

  1. Open Keychain
  2. Drag the certificate from Finder into a keychain
  3. Double click on the certificate and expand the "Trust" section
  4. Choose "When using this certificate: Always Trust"
  5. Close the popup window

If you cannot open Keychain Access because your keychain is corrupted, turn off wireless, delete ~/Library/Keychains/login.keychain and /Library/Keychains/System.keychain, and then reboot.

Jonathan Potter

Posted 2011-10-23T22:19:23.573

Reputation: 271


(YMMV but it worked for me) -- I deactivated the network, rebooted to kill the keychain problem or else it freezes the Keychain Access, no need to delete anything. Then, I deactivated the OCSP and CRL. I activated the network ... I connected to my captive portal, and then reactivated everything.

Problem is the captive portal requires a certificates, but blocks the certificate chain. Thank you for the other one suggesting this.


Posted 2011-10-23T22:19:23.573

Reputation: 11


I found the problem. It's caused by the security fix in 10.7.2 (Security Captive Portal Hijacking). It's likely that one of the networks you are connected to has a portal site, where you can enter login data... for me it was the WiFi network.

To solve this issue for now, deactivate all networks, reboot, start keychain, go to preferences, certificates, turn OCSP and CRL off. Reboot, activate your networks and there you go...

Thomas Hübner

Posted 2011-10-23T22:19:23.573

Reputation: 1

1Thanks, but disabling OCSP and CRL don't work for me. Also, the keychain keeps corrupting itself. – mcandre – 2011-10-24T21:17:53.590


I succeeded by doing "fix#2" as above.

In Terminal:

$ cd /Users/[username]/Library/keychains
$ remove login.keychain

and then reboot.

Riotaro OKADA

Posted 2011-10-23T22:19:23.573

Reputation: 1

2Or, for the currently logged-in user: cd ~/Library/keychains. Also, I don't know where your remove command came from, but that is non-standard. rm login.keychain works on any Mac. – Arjan – 2011-12-04T11:37:48.203



Posted 2011-10-23T22:19:23.573

Reputation: 1


Welcome to Super User! It would be nice to include the essential parts of the answer here, and provide the link only for future reference.

– slhck – 2012-01-17T09:04:20.997