Clever Geek Handbook

Why is my server declining SSL certificate?

I am using NSURLConnection

to connect to a server with a wildcard TLS certificate (eg "* .domain.com") and when I call SecTrustEvaluate

in my method the NSURLConnectionDelegate

-connection:willSendRequestForAuthenticationChallenge:

certificate is rejected as invalid. Another server that has a fully qualified TLS certificate (for example, "server2.domain.com") is accepted. Both certificates are issued by the same CA and I added the CA certificate to my device's trusted certificates.

I see the same behavior in Safari on my iPhone / iOS 8.1. A server with a wildcard certificate is reported as having an untrusted certificate, while the other server is running fine. So it looks like iOS default certificate validation rejects wildcard certificates. Is this the case?

Is there a way to say SecEvaluateTrust

allow wildcard certificates? Here is an excerpt from my-connection:willSendRequestForAuthenticationChallenge: 

- (void)connection:(NSURLConnection *)connection
    willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {
  if ([challenge.protectionSpace.authenticationMethod
         isEqualToString:NSURLAuthenticationMethodServerTrust]) {
    SecTrustRef trust = [challenge.protectionSpace serverTrust];
    SecTrustResultType trustResult;
    OSStatus status = SecTrustEvaluate(trust, &trustResult);
    if (status == noErr) {
      if (trustResult == kSecTrustResultProceed
          || trustResult == kSecTrustResultUnspecified) {
        // Success. server2 gets here
      } else {
        // Server authentication failure. server1 gets here
      }
    }
  }
}

EDIT . The Android version of our software is great for wildcard certificates, so I suspect there is something specific here for handling iOS certificates. The Android client uses BrowserCompatHostnameVerifier

to validate the certificate, which, as I understand it, does the same thing as SecPolicyCreateSSL

doing the same validating certificate that the browser does.

+3


source to share


1 answer


Since you are seeing the same behavior with Safari, this is probably a certificate issue or what you expect from a certificate. Please check (or post) the certificate and how to access it. Example. A certificate containing only an entry for *.example.com

will match foo.example.com

, but not example.com

or bar.foo.example.com

. In addition, any naming information must be in the SAN (Object Aliases) section, using a common name for this is discounted.



+4


source






More articles:


All Articles