Lion 10.7.4 update breaks iCould etc. behind a firewall + fix
Oh my, Apple, when will you ever get it that some users are behind a corporate firewall? Over the years there have always been problems that a number of protocols did not use the proxy detailed under System Preferences>Network>Advanced>Proxies. For instance, my Xserve still cannot update its clamav definitions and retries every 10 s (I've disabled that with Lingon, but still…); MobileMe never worked behind the firewall etc.
In the last days it has just cost me several hours to diagnose why
– on accessing every secure website there were complaints on insecure certificates
– Applestore didn't work
– iCal, Addressbook, Bookmark synchronisation (the entire iCloud suite) failed
The reason: since 10.7.4 Safari is requesting the CRL (certificate revocation list) from the issuer of the certificate to validate the certificate. However, the request is made without authentication and therefore the proxy rejects the request; so the keychain process assumes the certificate is invalid because it cannot verity that the certificate is no on the revocation list. In the console one can see many error messages like "deny "com.apple.cfnetwork.AuthBrokerAgent".
THE (interim) SOLUTION: go to Keychain>Preferences>Certificates, set OCSP to off, possibly also CRL. This also reenables all iCloud services. [OCSP: Online Certificate Status Protocol]
This is not a solution, but a kludge, which lets me at least update to latest Xcode etc. I still see errors in the console like "… sandboxd: … WebProcess… deny mach-lookup com.apple.cfnetwork.AuthBrokerAgent", but iCloud works. Many thanks to "Mardovar" and others on <https://discussions.apple.com/thread/3941688> for explaining it!