2 Replies
      Latest reply on Apr 11, 2019 10:54 PM by jopie
      jopie Level 1 Level 1 (0 points)

        Hello,

         

         

        We use Apple's MDM service.

        When we updated OpenSSL from 1.0.1e to 1.0.2r on SCEP server, profile cannot be installed to the iOS cleint.

         

         

        After some investigation, we came up that iOS client ends up with following error when received PKCS#7 certificate from SCEP server during PKIOperation.

         

         

        +----------------------------------------------

        Could not retrieve issued certificate: NSError:

        US Desc: The SCEP server returned an invalid response.

        Domain : MCSCEPErrorDomain

        Code   : 22013

        Type   : MCFatalError

        <Notice>: Cannot retrieve SCEP identity: NSError:

        +----------------------------------------------

         

         

        We did not change programs of SCEP server, though re-built modules with new OpenSSL library.

         

         

        We use C++ for SCEP server modules.

         

         

        Testing iOS client version is 12.0.1.

         

         

        Does anyone know how to resolve this problem?

         

         

        Kind regards,

        • Re: MDM profile cannot be installed with OpenSSL updated
          jormiya Level 1 Level 1 (0 points)

          I met the same problem with my SCEP Server written by ruby with OpenSSL 1.0.2k (OS bundles).

          I show iOS consolelog with Xcode. May be iOS "profiled" program can't accept PKCS#7 certificate create by OpenSSL 1.0.2k.

          I don't which program bugs, iOS profiled or OpenSSL 1.0.2K.

          I avoid this problem recreating  ruby link OpenSSL 1.0.1e.

           

          Kind regards,

            • Re: MDM profile cannot be installed with OpenSSL updated
              jopie Level 1 Level 1 (0 points)

              I found a way to solve it.

               

              The reason is the change of treating ASP.1 in OpenSSL library.

              From OpenSSL 1.0.1i, 0 ID format is rejected, so that the output PKCS#7 which is passed to iOS is broken and iOS client cannot read them.

               

              Just

              1.PKCS7_new

              2.PKCS7_set_type

              produce this broken data.

               

              To fix this problem, create non 0 ID object with PKCS7_content_new(p7, NID_pkcs7_data).

              It must be called after PKCS7_set_type(p7, type), otherwise, the content will be initialized with 0 ID object.

               

              1.PKCS7_new

              2.PKCS7_set_type

              3.PKCS7_content_new

              will produce fixed data.

               

              SCEP servers which have been originally implemented with above API might have no problem.