MDM profile cannot be installed with OpenSSL updated

Hello,



We use Apple's MDM service.

When we updated OpenSSL from 1.0.1e to 1.0.2r on SCEP server, profile cannot be installed to the iOS cleint.



After some investigation, we came up that iOS client ends up with following error when received PKCS#7 certificate from SCEP server during PKIOperation.



+----------------------------------------------

Could not retrieve issued certificate: NSError:

US Desc: The SCEP server returned an invalid response.

Domain : MCSCEPErrorDomain

Code : 22013

Type : MCFatalError

<Notice>: Cannot retrieve SCEP identity: NSError:

+----------------------------------------------



We did not change programs of SCEP server, though re-built modules with new OpenSSL library.



We use C++ for SCEP server modules.



Testing iOS client version is 12.0.1.



Does anyone know how to resolve this problem?



Kind regards,

Replies

I met the same problem with my SCEP Server written by ruby with OpenSSL 1.0.2k (OS bundles).

I show iOS consolelog with Xcode. May be iOS "profiled" program can't accept PKCS#7 certificate create by OpenSSL 1.0.2k.

I don't which program bugs, iOS profiled or OpenSSL 1.0.2K.

I avoid this problem recreating ruby link OpenSSL 1.0.1e.


Kind regards,

I found a way to solve it.


The reason is the change of treating ASP.1 in OpenSSL library.

From OpenSSL 1.0.1i, 0 ID format is rejected, so that the output PKCS#7 which is passed to iOS is broken and iOS client cannot read them.


Just

1.PKCS7_new

2.PKCS7_set_type

produce this broken data.


To fix this problem, create non 0 ID object with PKCS7_content_new(p7, NID_pkcs7_data).

It must be called after PKCS7_set_type(p7, type), otherwise, the content will be initialized with 0 ID object.


1.PKCS7_new

2.PKCS7_set_type

3.PKCS7_content_new

will produce fixed data.


SCEP servers which have been originally implemented with above API might have no problem.

Thanks tell me response.