Why is my server declining SSL certificate?
I am using NSURLConnection
to connect to a server with a wildcard TLS certificate (eg "* .domain.com") and when I call SecTrustEvaluate
in my method the NSURLConnectionDelegate
-connection:willSendRequestForAuthenticationChallenge:
certificate is rejected as invalid. Another server that has a fully qualified TLS certificate (for example, "server2.domain.com") is accepted. Both certificates are issued by the same CA and I added the CA certificate to my device's trusted certificates.
I see the same behavior in Safari on my iPhone / iOS 8.1. A server with a wildcard certificate is reported as having an untrusted certificate, while the other server is running fine. So it looks like iOS default certificate validation rejects wildcard certificates. Is this the case?
Is there a way to say SecEvaluateTrust
allow wildcard certificates? Here is an excerpt from my-connection:willSendRequestForAuthenticationChallenge:
- (void)connection:(NSURLConnection *)connection
willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
if ([challenge.protectionSpace.authenticationMethod
isEqualToString:NSURLAuthenticationMethodServerTrust]) {
SecTrustRef trust = [challenge.protectionSpace serverTrust];
SecTrustResultType trustResult;
OSStatus status = SecTrustEvaluate(trust, &trustResult);
if (status == noErr) {
if (trustResult == kSecTrustResultProceed
|| trustResult == kSecTrustResultUnspecified) {
// Success. server2 gets here
} else {
// Server authentication failure. server1 gets here
}
}
}
}
EDIT . The Android version of our software is great for wildcard certificates, so I suspect there is something specific here for handling iOS certificates. The Android client uses BrowserCompatHostnameVerifier
to validate the certificate, which, as I understand it, does the same thing as SecPolicyCreateSSL
doing the same validating certificate that the browser does.
source to share
Since you are seeing the same behavior with Safari, this is probably a certificate issue or what you expect from a certificate. Please check (or post) the certificate and how to access it. Example. A certificate containing only an entry for *.example.com
will match foo.example.com
, but not example.com
or bar.foo.example.com
. In addition, any naming information must be in the SAN (Object Aliases) section, using a common name for this is discounted.
source to share