TCP with self-signed server certificate

It looks like you are asking about making a TCP connection to a server that is using a self-signed certificated for TLS, but I want to confirm that you are not also asking about setting up the listening side as well? Please advise and I can explain further.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Yes, this is about TCP connections to servers with self-signed TLS certificates.

We also support client-side certificates, that has been implemented already. I currently don't expect to support that simultaneously, but who knows what kind of servers are out there. I'm unfortunately not able to link to our open source repo, the link gets rejected.

Take a look at TN2232 - HTTPS Server Trust Evaluation for on overview here. Overriding trust evaluation with a self signed certificate is never a "one size fits all," solution as there are many different things that can make a self signed certificate not trusted. For example, Subject Name issues, Validity Period issues, missing ExtendedKeyUsage OIDs, etc...

In regards to TCP connections in the context of NWConnection or nw_connection_t you will need to take a look at sec_protocol_options_set_verify_block for overriding trust evaluation:

Code Block swift
let tlsOptions = NWProtocolTLS.Options()
sec_protocol_options_set_min_tls_protocol_version(tlsOptions.securityProtocolOptions, .TLSv13)
sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { (_, trust, completionHandler) in
    print("Trust: \(trust.description)")
    let secTrustRef = sec_trust_copy_ref(trust).takeRetainedValue() as SecTrust
    
    /* x509 Policy for certificate validation */
    let x509Policy = SecPolicyCreateBasicX509()
    SecTrustSetPolicies(secTrustRef, x509Policy)
    
    /* Typically you would use either a x509 or SSL policy here. */
    
    /* SSL Policy for your certificate on your domain */
    let sslPolicy = SecPolicyCreateSSL(true, "apple.com" as CFString)
    SecTrustSetPolicies(secTrustRef, sslPolicy)
    
    var error: CFError?
    if !SecTrustEvaluateWithError(secTrustRef, &error) {
        print("SecTrustEvaluateWithError failed: \(error.debugDescription)")
        completionHandler(false)
    }
    
    if let trustDetails = SecTrustCopyResult(secTrustRef) as? [String: AnyObject] {
        /* Determine trust details for more information */
    }
    
    completionHandler(true)
}, .main)

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thank you for mentioning TN2232, that looks like a viable way to do it manually, in-app.

But is there a way for an app to piggy-back on certificates the user installed globally, accepted, via settings, and trusted?

But is there a way for an app to piggy-back on certificates the user installed globally, accepted, via settings, and trusted

Yes. To do so move away from self-signed certificates and get an issued leaf certificate from a CA that has their root certificate already in the device's trust store. Here is the latest list of CA certificates in the trust store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com