iOS 11 beta two-way ssl client authentication status

It appears that two-way ssl client authentication is behaving differently in IOS 11 beta 1 & 2 when compared to iOS 10.


The tcpdump indicates a different (handshake) flow in iOS 11 beta when compared to iOS 10.


It (seems) to appear like iOS 11 is trying to use the client certificate to negotiate an SSL connection as opposed to using it to authenticate the client authentication challenge.


Looking for insight into what might have changed in iOS 11 beta, or an updated status of two-way ssl client authentication in iOS 11 beta, and how to keep track of any progress.


I have a working implementation using iOS 10 using two-way ssl client authentication, but my existing implementation now does not work in iOS 11 (if Mandatory/Optional client certificate authentication is enabled on the load balancer.) (I do have an ATS exception for TLS 1.0 which is required for ATS on this older development LB, but if I don't require a certificate challenge on the LB (turn two-way auth off) it will allow my existing implementation to work in iOS 11).


Any insight into possible difference between iOS 11 beta and iOS 10 in this regards would be apprieciated.


Thanks,


mochamo

Up vote post of mochamo Down vote post of mochamo
4.3k views
Posted by
mochamo
Reply
Add a Comment

Replies

I am experiencing the same thing with iOS 11 beta 4. Can't find any reference on how this will be resolve yet. BTW, Im using AFNetworking to handle the client authentication

Posted by
joshua.lareta
Up vote reply of joshua.lareta Down vote reply of joshua.lareta
Add a Comment

Experiencing the same. Any progress here?

Posted by
sinm
Up vote reply of sinm Down vote reply of sinm
Add a Comment

iOS 11 beta forced the use of TLS1.2

Posted by
SamLiFei
Up vote reply of SamLiFei Down vote reply of SamLiFei
Add a Comment

iOS11 doesn't force to use TLS 1.2.


I am using iOS11 Golden Master and have the same issue as described in this thread. We are using two-way-ssl with some of our company web applications and have issue with one of them.


The certificate is distributed through our MDM. From the end user perspective, it's asking to choose the certificate but when you don, it doesn't work and asks you again. Therefore the authentication is failing.


If anyone has any experience with this please comment.

Posted by
nebret
Up vote reply of nebret Down vote reply of nebret
Add a Comment

When trying to run my two-way ssl code (that was working fine on ios10) on iOS11 I suddenly start getting SSL handshake errors (error code: -9802)

My server hasn't changed so I thought it might have to do with the client certificate generation params, namely key algorithm&length and signing algorithm

Initially I was using RSA 2048 with SHA256 and a few months back I switched to EC.

(I'm generating my client certs by submitting a CSR to my server)

After reading this: https://forums.developer.apple.com/thread/6767 where eskimo says:

  • Certificates signed using SHA1 are no longer trusted
  • Certificates signed using an RSA key with a key size less than 2048 bits are no longer trusted

but nothing about EC I thought I should try reverting to RSA.

So after changing back to RSA 2048 with SHA256 my two-way SSL code starting working fine on iOS11

Posted by
rpocaznoi
Up vote reply of rpocaznoi Down vote reply of rpocaznoi
Add a Comment