iOS 14 TLS/SSL certificate invalid ?

App & System Services Core OS iOS Network

Created Jul ’20

Replies 24

Boosts 0

Views 28k

Participants 18

Dear all :
In iOS 13, there were some new TLS certificate policies.(as the url below:https://support.apple.com/en-us/HT210176)
We fixed the certificate and it worked well in iOS 13.

But in iOS 14 ,it seems not to work in our app when we try to connect to TLS server with the same certificate. Does anyone run into the similar problem?

Best Regards.

Boost

ozgurs OP

Jan ’21

I'm using rapidapi.com webservice and pinned their certificate. My certificate controls started to fail in some user with iOS 14+. I 'm controlling it using Alamofire 5.

DTS Engineer OP

Apple

Jan ’21

respects RFC (RFC 1035) too much

One can never respect RFC 1035 “too much”. Underscores in DNS host names have never been legal, and folks who break that rule have been running into problems since the dawn of TCP. Indeed, Apple ‘broke’ this back in 1994 with the introduction of MacTCP 2.0.6 (there’s a thread from comp.protocols.tcp-ip.domains that brings back lots of memories [1]).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] groups.google.com/g/comp.protocols.tcp-ip.domains/c/j5rQrOxMEgs

DTS Engineer OP

Apple

Jan ’21

I'm using rapidapi.com webservice and pinned their certificate. My
certificate controls started to fail in some user with iOS 14+. I 'm
controlling it using Alamofire 5.

There are lots of potential causes for this. I recommend that you first remove your certificate pinning, just to rule it out of the equation. If things still fail, you should create a new test project that uses NSURLSession. There’s nothing wrong with using a third-party wrapper around NSURLSession, but if you run into weird problems it’s best to rule out that wrapper before continuing. And, indeed, if the problem doesn’t show up when you use NSURLSession directly, that’s something you’d want to take up with the library vendor.

If you still have problems, you should start a new thread here and we can take a look. As you’re using NSURLSession, you should tag it with CFNetwork so that the right folks see it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

archietech OP

Mar ’21

Regarding the initial question, I experienced issues with a self-signed certificate on iOS14.

I properly installed the Root CA (RSA4096/SHA512) from Settings>General>Profiles after downloading the public key on my iOS14 device.
I enabled the Root CA to be trusted within Settings>General>About>Certificates

I tried to reach a website (via Safari) and a MS Exchange server (via Apple Mail).
Both are using a certificate signed with the Root CA here above.
But I was still receiving a message telling me the issued certificate is not trusted on my IOS14 device.

I also tried to directly install the web server certificate (RSA2048/SHA256 valid for 3600days) issued from my Root CA in Settings>General>Profiles after downloading that public key... but still facing the same error.

I managed to solve it using recommendations here: https://support.apple.com/en-us/HT210176

I now also use RSA4096/SHA512 for the issued certificate and set its validity to 825days.
I added the FQDN to the Subject Alternative Name in addition to the usual Common Name

MartinKeiblinger OP

Apr ’21

[...] Underscores in DNS host names have never been legal, and folks who break that rule have been running into problems since the dawn of TCP. [...]

I assume you mean section 2.3 of RFC1035? It is absurd to assume a naming convention which is a suggestion has to be read as "must not". Starting this absurdity in the 90s makes it worse not better. Especially if that worked before and breaks only recently.

azav OP

Apr ’21

FYI, since I'm running into this too, these notes may be helpful https://support.apple.com/en-us/HT211025

TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.

Connections to TLS servers violating these new requirements will fail.

Best of luck to anyone who is running into these issues too.

DTS Engineer OP

Apple

Apr ’21

Especially if that worked before and breaks only recently.

What I posted above is my opinion. Clearly you disagree, and so you should absolutely feel free to file a bug report about this change of behaviour and include your rationale there. I suspect that it’ll come back as ‘behaves correctly’, in which case you’ll have Apple’s official opinion on this.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

HugoGallardo OP

Jun ’21

Hi people.

I had the same problem with the iOS 14.6 update two weeks ago, we bought our SSL on Azure which uses Godaddy and the connection to our API resulted on the SSL error.

We did every configuration on the info.plist file and nothing worked.

We had to submit a support ticket on Azure, they answer pretty quick that they were aware of the issue and we needed to rekey the Certificate and resync to our Web apps. That was all we did to get everything back on line.

The following is the link to the info https://sslmate.com/blog/post/apples_new_ct_policy

StuJenga OP

Jul ’21

Looks like its no longer an issue in iOS 15 beta

Thanks for this thread - the summary from Lovingod was very helpful.