Good afternoon,
We have been running into a problem after upgrading our server to Microsoft Server 2022 where our mobile app is failing client authentication via client certs. What we found was this was due to Microsoft Server 2022 using TLS 1.3 by default and something in our iOS is causing this to fail. Are there any new requirements for TLS 1.3 that would make this fail now?
Previously, with TLS 1.2 it would work as follows: Our app makes a request to an endpoint that requires a client cert but it does not include a client cert in the request. The web server responds by saying that a client cert is required and then the client and server establish mutual TLS.
We’ve overridden the urlSession callback for the challenge delegate like this:
switch challenge.protectionSpace.authenticationMethod {
case NSURLAuthenticationMethodClientCertificate:
// Use the client certificate and identity in the app keychain to validate the client against the server.
if let identity = Certificate.certificateSingleton.retrieveIdentity(), let certificate = Certificate.certificateSingleton.retrieveCertificate(identity: identity) {
let credentials = URLCredential(identity: identity, certificates: [certificate], persistence: URLCredential.Persistence.forSession)
challenge.sender?.use(credentials, for: challenge)
completionHandler(URLSession.AuthChallengeDisposition.useCredential, credentials)
}
else {
completionHandler(URLSession.AuthChallengeDisposition.cancelAuthenticationChallenge, nil)
}
case NSURLAuthenticationMethodServerTrust: fallthrough
default:
// Always accept the server credentials. We don't need to care about the authenticity of the server
completionHandler(URLSession.AuthChallengeDisposition.performDefaultHandling, nil)
}
}
What we are seeing is previously we would first get a NSURLAuthenticationMethodServerTrust authentication method and fallthrough to the default handling, subsquently we would get another callback where the authentication method is NSURLAuthenticationMethodClientCertificate and everything works fine. We are now seeing two NSURLAuthenticationMethodServerTrust authentication methods back to back. Any ideas what is going on here?
Thanks, Brad
