Not getting .cfurlErrorClientCertificateRejected for bad certificate

Question

Created Mar ’21

Replies 1

Boosts 0

Participants 2

I'm using a URLSession, and want to be able to identify the case when I have a bad client certificate.

When I get a call to

Code Block  func urlSession(_ session:didReceive challenge:completionHandler)

and send a bad certificate in response to the client cert challenge, I would expect an error of

.cfurlErrorClientCertificateRejected

In

Code Block func urlSession(_ session: task:didCompleteWithError error:)

What I'm seeing instead is the generic

.cfurlErrorSecureConnectionFailed

When I was using the SSL APIs directly I was getting back

errSSLPeerUnknownCA or errSSLPeerBadCert

Which makes it clear where the problem lies. Is there a way to see that it was specifically a problem with the client certificate using the URLSession delegates?

Boost

Answer 1

Systems Engineer OP

Apple

Mar ’21

This can depend on how TLS stack is configured on your server. Bad certificate or client challenge failures can be handled in many different ways depending on what information is sent over the wire from your server. For example, you may see that you are receiving just a peer closed the connection error, or Encrypted Alert error, or just something very general when the client certificate validation fails. However, you should be able to see this information in your server logs depending on how verbose they are. One thing you could do is emit the bad_certificate Alert too from your server. Validate that this is being sent over the wire with a packet trace and then try and pick it up in the Error response from URLSession.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0