HTTPS changes between 10.2 and 10.3

I've been using Alamofire in a project to work with REST requests. The code I have is running fine in 10.2 and properly returning data as expected. When I switch the simulator to 10.3 the request does not complete. Both 10.2 and 10.3 simulators have the self-signed certificates installed and trusted. Would anyone happen to know if there are changes to HTTPS in 10.3 that would prevent the app from running properly?

Replies

Yes...self signed certificates are causing 'Unknown CA' errors for us despite being SHA256withRSA. Browsing in a web browser to a location that requires the certificate gives us a prompt and the certificate is presented as untrusted. Was hoping this was a bug in beta 2 but the beta today has the same issue.


The beta notes contain a note about this change...

The iOS 10.3 update removes support for SHA-1 signed certificates used for Transport Layer Security (TLS) in 
Safari and WebKit that are issued from a root Certification Authority (CA) included in the operating system default 
trust store. All other TLS connections will continue to support SHA-1 signed certificates until late 2017. 
SHA-1 signed root CA certificates, enterprise- distributed SHA-1 certificates, and user-installed SHA-1 certificates 
are not affected by this change. For more information, see https://support.apple.com/kb/HT207459.

From that article, I would think using a self-signed SHA-256 with RSA Encryption would still work though REST API calls since the cert on the server in question is not SHA-1. Wonder if this is expected behavior or a bug?

Indeed, I noted the same behavior for SHA-2 self-signed root CA certificates in the last iOS 10.3 betas (3 and 4). I feel that it is "Works as designed" by Apple. However, this is contradictory with their last security update about Safari and WebKit ending support for SHA-1 certificates:

  1. "All other TLS connections will continue to support SHA-1 signed certificates until late 2017. SHA-1 signed root CA certificates, enterprise-distributed SHA1 certificates, and user-installed SHA1 certificates are not affected by this change."
  2. "Developers and website operators should move to SHA-256 signed certificates as soon as possible to prevent users from encountering warnings when connecting to their sites."


IMHO, there is a critical issue on Apple side. I'm confused for SHA-1 self-signed root CA certificates because they are deprecated but I disagree for SHA-2 self-signed root CA certificates. They should be trusted by default because it is the new standard.

I just figured this out...


On iOS 10.3:

Settings > General > About (logically...) > Certificate Trust Settings > Enable Full Trust for Root Certificates

I'm trying to make by certificate trusted on the developer device with iOS 10.3. I've installed the CA root certificate and can see it under Settings > General > Profiles. But I see nothing under Settings > General > About > Certificate Trust Settings > Enable Full Trust for Root Certificates.

How can it figure out why my certificate does not appear under Enable Full Trust for Root Certificates?

I have tried this, but it keeps getting disabled every time I leave the page and go back. Is this a known issue in iOS 10.3 simulators?