Provide certificate chain during TLS

We are using the Network framework to open TLS listener on the network and set options this way:

configure_tls = ^(nw_protocol_options_t tls_options) {
    sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);

    sec_identity_t sec_identity=sec_identity_create(identity);
    sec_protocol_options_set_local_identity(sec_options, sec_identity);
    sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12);
    sec_options=nil;
};

This works fine; however, the listener's TLS negotiation only returns the certificate, not the trust chain. We have a requirement from a government agency to return the trust chain:

"In addition to the certificate itself, you should provide a “chain” of intermediate certificates that give the connecting browser or client enough information to connect the certificate to a trusted root certificate.

Failing to provide intermediates could prevent various browsers and clients from successfully connecting to your service, especially mobile browsers and non-browser clients (such as cURL, and tools based on libcurl).

Some browsers will cache intermediates from a previous connection or attempt to automatically download missing intermediates that are presented in a certificate’s Authority Information Access (https://tools.ietf.org/html/rfc5280#section-4.2.2.1) extension, and so it can be easy to miss this problem during initial configuration. Though most browsers have an option to inspect the certificates on a site, they vary in whether they show the exact certificates the server presented or a chain as reconstructed through the fetching of an intermediate listed in the AIA extension.

In general:

  • You do not need to serve the trusted root that the certificate chains to. The client will compare the chain to a local root store, so serving the root will only waste bytes and slow the connection.
  • You do need to serve any intermediate certificates that connect your web server certificate to the trusted root. Doing so removes the potential for problems caused by the variation in how clients facilitate trust verification."

Is there a way to provide the chain of trust in the TLS options? I could not find any way to do this.

The droid you’re looking for is sec_identity_create_with_certificates. This lets you create your sec_identity_t with both a digital identity and a certificate chain.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Provide certificate chain during TLS
 
 
Q