What does an unrecognised leaf certificate mean?

694    Asked by ankur_3579 in Cyber Security , Asked on Mar 1, 2022

 Every 15 minutes or so I get this message in my system.log

Apr 25 22:05:36 Ivans-MacBook-Pro.local apsd[194]: Unrecognised leaf certificate Apr 25 22:20:57 Ivans-MacBook-Pro.local apsd[194]: Unrecognised leaf certificate Now I have figured out approximately what is what: apsd - Apple Push notification Service Daemon Leaf certificate - The first certificate in the certificate chain(Not sure,

mentioned on some Microsoft site) But what does it mean? How serious is it? What exactly is the leaf certificate? Do I have a false/bogus certificate on my system? It's a pretty clean Mac OS X Mavericks 10.9.2 install, only few apps from the official Mac App Store installed(Xcode and few other coding editors)

Answered by ankur Dwivedi
apsd -- Apple Push Notification service daemon

By sampling the running process in the Activity Monitor I get this:
Path: /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
Version: 206.2
Code Type: X86-64
Parent Process: launchd [1]

The process is launched at system boot and remains constantly active. Every 15 minutes a log message is generated in the system.log file(Viewable by the Console app), containing a warning that there is a Unrecognised leaf certificate. I've used tcpdump/Wireshark to sample the network traffic four individual times(just to be sure).

First time:
Destination: 4-courier.push.apple.com (17.172.232.62)
Port: 5223
Second time:
Destination: 14-courier.push.apple.com (17.149.32.65)
Port: 5223
Third time:
Destination: 44-courier.push.apple.com (17.172.233.136)
Port: 5223
Fourth time:
Destination: 23-courier.push.apple.com (17.149.36.193)
Port: 5223
The IP addresses really do belong to Apple,
NetRange: 17.0.0.0 - 17.255.255.255
CIDR: 17.0.0.0/8
OriginAS:
NetName: APPLE-WWNET
NetHandle: NET-17-0-0-0-1
OrgName: Apple Inc.
OrgId: APPLE-1-Z
Address: 20400 Stevens Creek Blvd., City Centre Bldg 3
City: Cupertino
StateProv: CA
PostalCode: 95014
Country: US
RegDate: 2009-12-14
Updated: 2011-03-08
Ref: http://whois.arin.net/rest/org/APPLEC-1-Z
The traffic was(as expected) SSL on custom port 5223 as described here: http://support.apple.com/kb/HT6175
Port: 5223
TCP or UDP: TCP
Service or Protocol Name: Apple Push Notification Service
RFC: -

Service Name: -

Used by / Additional information: iCloud DAV Services (Contacts, Calendars, and Bookmarks), APNS, FaceTime, Game Centre, Photo Stream, Back to My Mac
The certificate that the server is sending however looks like this:
Identity: courier.push.apple.com
Verified by: Entrust Certification Authority - L1C
Expires: 11/21/2015
Subject Name
C (Country): US
ST (State): California
L (Locality): Cupertino
O (Organisation): Apple Inc.
CN (Common Name): courier.push.apple.com

Apple obviously changed something in the load balancing scheme because apsd is never connecting directly to the domain courier.push.apple.com. And the service is not reachable through that domain if one attempts to connect manually from the browser (as https://courier.push.apple.com:5223) either. However on mentioned subdomains:

https://4-courier.push.apple.com:5223 https://14-courier.push.apple.com:5223 https://44-courier.push.apple.com:5223 https://23-courier.push.apple.com:5223

It is possible and the error appears: "This certificate is not valid(host name mismatch)". What I believe is happening is that apsd is reporting the same thing, but the developers decided to write that in the logs as Apple should create a new certificate that includes a wildcard (CN (Common Name): *courier.push.apple.com) to correct this issue. I've submitted a Feedback/Bug Report on http://www.apple.com/feedback/macosx.html But this could be more serious than just an annoying log message, if apsd is actually ignoring the wrong certificate and just continuing to work! Continued here: Is Apple's push notification service implementation vulnerable to a MitM attack



Your Answer

Interviews

Parent Categories