Creating Certificate Authority and keys not compatible with new openSSL

I have in the past used TN2326 as reference to generate keys for our server that aren't self signed, instead signed by our certificate authority. The method in TN2326 is not working with the latest openssl, and honestly I don't understand these error messages enough to debug.

If I add '-legacy' to the openssl command below - I do not get the error. However, clients using TLS are unable to connect to the server. In iOS, it reports a trust issue with the certificate, also pasted below.

You can see below that I am using http3 with quic, so TLS 1.3 is important.

I am running a python (3.10) script for the server, openssl

I appreciate any help on this.

% openssl pkcs12 -in server_192_168_0_187.p12 -nokeys -out server.crt Enter Import Password: Error outputting keys and certificates 4076BD4CF87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

From the iOS client using the '-legacy' option:

task will start, url: https://X.X.X.X:4433 Connection 3: default TLS Trust evaluation failed(-9807) Connection 3: TLS Trust encountered error 3:-9807 Connection 3: encountered error(3:-9807) [connection] nw_connection_copy_connected_local_endpoint_block_invoke [C4] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection [connection] nw_connection_copy_connected_remote_endpoint_block_invoke [C4] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection [connection] nw_connection_copy_protocol_metadata_internal_block_invoke [C4] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection Task <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807]) protocols: ["h3"] Task <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “X.X.X.X” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x108827800) s: X.X.X.X i: Company CA>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://X.X.X.X:4433/, NSErrorFailingURLStringKey=https://X.X.X.X:4433/, NSUnderlyingError=0x283385560 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x280cec1e0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=( "<cert(0x108827800) s: X.X.X.X i: Company CA>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2>" ), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x280cec1e0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “X.X.X.X” which could put your confidential information at risk.} task transport error NSURLErrorDomain / -1202

% openssl pkcs12 -in server_192_168_0_187.p12 -nokeys -out server.crt
…:unsupported:… Algorithm (RC2-40-CBC : 0)…

I believe this is openssl complaining that the PKCS#12 wrapper generated by macOS is using ridiculously older encryption. Honestly, it’s right to complain about this )-: See this post for more.

I recommend that you use the openssl tool to convert the PKCS#12 to use modern algorithms. You’ll then be able to drop the -legacy argument, which will rule that out as a factor in your main issue.


As to your main issue, are you overriding trust evaluation in the iOS app? Or installing your CA’s root certificate on the device as a whole? If it’s the latter, how did you do that?

FYI, I believe that the process described in QA1948 HTTPS and Test Servers still works, but it’s been a while since I tried it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Creating Certificate Authority and keys not compatible with new openSSL
 
 
Q