I have in the past used TN2326 as reference to generate keys for our server that aren't self signed, instead signed by our certificate authority. The method in TN2326 is not working with the latest openssl, and honestly I don't understand these error messages enough to debug.
If I add '-legacy' to the openssl command below - I do not get the error. However, clients using TLS are unable to connect to the server. In iOS, it reports a trust issue with the certificate, also pasted below.
You can see below that I am using http3 with quic, so TLS 1.3 is important.
I am running a python (3.10) script for the server, openssl
I appreciate any help on this.
% openssl pkcs12 -in server_192_168_0_187.p12 -nokeys -out server.crt Enter Import Password: Error outputting keys and certificates 4076BD4CF87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
From the iOS client using the '-legacy' option:
task will start, url: https://X.X.X.X:4433 Connection 3: default TLS Trust evaluation failed(-9807) Connection 3: TLS Trust encountered error 3:-9807 Connection 3: encountered error(3:-9807) [connection] nw_connection_copy_connected_local_endpoint_block_invoke [C4] Client called nw_connection_copy_connected_local_endpoint on unconnected nw_connection [connection] nw_connection_copy_connected_remote_endpoint_block_invoke [C4] Client called nw_connection_copy_connected_remote_endpoint on unconnected nw_connection [connection] nw_connection_copy_protocol_metadata_internal_block_invoke [C4] Client called nw_connection_copy_protocol_metadata_internal on unconnected nw_connection Task <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807]) protocols: ["h3"] Task <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “X.X.X.X” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x108827800) s: X.X.X.X i: Company CA>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://X.X.X.X:4433/, NSErrorFailingURLStringKey=https://X.X.X.X:4433/, NSUnderlyingError=0x283385560 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x280cec1e0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=( "<cert(0x108827800) s: X.X.X.X i: Company CA>" )}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2>" ), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <BA37397D-B6F1-46C0-8D1C-BC112FC82956>.<2>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x280cec1e0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “X.X.X.X” which could put your confidential information at risk.} task transport error NSURLErrorDomain / -1202