6 Replies
      Latest reply on Jun 1, 2017 12:48 PM by jvbreen1
      rsaeks Level 1 Level 1 (0 points)

        I've been using Alamofire in a project to work with REST requests. The code I have is running fine in 10.2 and properly returning data as expected. When I switch the simulator to 10.3 the request does not complete. Both 10.2 and 10.3 simulators have the self-signed certificates installed and trusted. Would anyone happen to know if there are changes to HTTPS in 10.3 that would prevent the app from running properly?

        • Re: HTTPS changes between 10.2 and 10.3
          Securly Level 1 Level 1 (0 points)

          Yes...self signed certificates are causing 'Unknown CA' errors for us despite being SHA256withRSA.  Browsing in a web browser to a location that requires the certificate gives us a prompt and the certificate is presented as untrusted. Was hoping this was a bug in beta 2 but the beta today has the same issue. 

           

          The beta notes contain a note about this change...

          The iOS 10.3 update removes support for SHA-1 signed certificates used for Transport Layer Security (TLS) in 
          Safari and WebKit that are issued from a root Certification Authority (CA) included in the operating system default 
          trust store. All other TLS connections will continue to support SHA-1 signed certificates until late 2017. 
          SHA-1 signed root CA certificates, enterprise- distributed SHA-1 certificates, and user-installed SHA-1 certificates 
          are not affected by this change. For more information, see https://support.apple.com/kb/HT207459.
          
          
            • Re: HTTPS changes between 10.2 and 10.3
              rsaeks Level 1 Level 1 (0 points)

              From that article, I would think using a self-signed SHA-256 with RSA Encryption would still work though REST API calls since the cert on the server in question is not SHA-1. Wonder if this is expected behavior or a bug?

                • Re: HTTPS changes between 10.2 and 10.3
                  Franck.Ducos Level 1 Level 1 (10 points)

                  Indeed, I noted the same behavior for SHA-2 self-signed root CA certificates in the last iOS 10.3 betas (3 and 4). I feel that it is "Works as designed" by Apple. However, this is contradictory with their last security update about Safari and WebKit ending support for SHA-1 certificates:

                  1. "All other TLS connections will continue to support SHA-1 signed certificates until late 2017. SHA-1 signed root CA certificates, enterprise-distributed SHA1 certificates, and user-installed SHA1 certificates are not affected by this change."
                  2. "Developers and website operators should move to SHA-256 signed certificates as soon as possible to prevent users from encountering warnings when connecting to their sites."

                   

                  IMHO, there is a critical issue on Apple side. I'm confused for SHA-1 self-signed root CA certificates because they are deprecated but I disagree for SHA-2 self-signed root CA certificates. They should be trusted by default because it is the new standard.