TCP with self-signed server certificate

What are the options doing TCP and supporting self-signed server certificates? It's about IMAP/SMTP connections.

We are currently using NSStream. Is there a higher-level API that automatically supports certificates that have been imported and trusted by the user (as hinted at here)?

If not, is connecting with kCFStreamSSLValidatesCertificateChain disabled, and then querying kCFStreamPropertySSLPeerTrust, involving the user in self-made "trust UI" the way to go?

Sample error:

Code Block language
2021-01-21 14:03:13.673788+0100 pEp[77676:8086560] CFNetwork SSLHandshake failed (-9807)
2021-01-21 14:03:13.673968+0100 pEp[77676:8086560] TCP Conn 0x6000033b89a0 SSLHandshake failed (-9807)


Up vote post of DSec Down vote post of DSec
734 views
Posted by
DSec
Reply
Add a Comment

Accepted Reply

But is there a way for an app to piggy-back on certificates the user installed globally, accepted, via settings, and trusted

Yes. To do so move away from self-signed certificates and get an issued leaf certificate from a CA that has their root certificate already in the device's trust store. Here is the latest list of CA certificates in the trust store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment

Replies

It looks like you are asking about making a TCP connection to a server that is using a self-signed certificated for TLS, but I want to confirm that you are not also asking about setting up the listening side as well? Please advise and I can explain further.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Yes, this is about TCP connections to servers with self-signed TLS certificates.

We also support client-side certificates, that has been implemented already. I currently don't expect to support that simultaneously, but who knows what kind of servers are out there. I'm unfortunately not able to link to our open source repo, the link gets rejected.
Posted by
DSec
Up vote reply of DSec Down vote reply of DSec
Add a Comment
Take a look at TN2232 - HTTPS Server Trust Evaluation for on overview here. Overriding trust evaluation with a self signed certificate is never a "one size fits all," solution as there are many different things that can make a self signed certificate not trusted. For example, Subject Name issues, Validity Period issues, missing ExtendedKeyUsage OIDs, etc...

In regards to TCP connections in the context of NWConnection or nw_connection_t you will need to take a look at sec_protocol_options_set_verify_block for overriding trust evaluation:

Code Block swift
let tlsOptions = NWProtocolTLS.Options()
sec_protocol_options_set_min_tls_protocol_version(tlsOptions.securityProtocolOptions, .TLSv13)
sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { (_, trust, completionHandler) in
    print("Trust: \(trust.description)")
    let secTrustRef = sec_trust_copy_ref(trust).takeRetainedValue() as SecTrust
    
    /* x509 Policy for certificate validation */
    let x509Policy = SecPolicyCreateBasicX509()
    SecTrustSetPolicies(secTrustRef, x509Policy)
    
    /* Typically you would use either a x509 or SSL policy here. */
    
    /* SSL Policy for your certificate on your domain */
    let sslPolicy = SecPolicyCreateSSL(true, "apple.com" as CFString)
    SecTrustSetPolicies(secTrustRef, sslPolicy)
    
    var error: CFError?
    if !SecTrustEvaluateWithError(secTrustRef, &error) {
        print("SecTrustEvaluateWithError failed: \(error.debugDescription)")
        completionHandler(false)
    }
    
    if let trustDetails = SecTrustCopyResult(secTrustRef) as? [String: AnyObject] {
        /* Determine trust details for more information */
    }
    
    completionHandler(true)
}, .main)



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thank you for mentioning TN2232, that looks like a viable way to do it manually, in-app.

But is there a way for an app to piggy-back on certificates the user installed globally, accepted, via settings, and trusted?
Posted by
DSec
Up vote reply of DSec Down vote reply of DSec
Add a Comment

But is there a way for an app to piggy-back on certificates the user installed globally, accepted, via settings, and trusted

Yes. To do so move away from self-signed certificates and get an issued leaf certificate from a CA that has their root certificate already in the device's trust store. Here is the latest list of CA certificates in the trust store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved
Add a Comment