Hi,
a one year ago I was here for help with checking self signed certificate:
https://forums.developer.apple.com/thread/102915
In short:
We are developing a smart home application which is communicating with our own devices (like smart socket plug) via HTTPS using IP address.
Devices use our own CA, and iOS application set this certificate as a trusted by calling 'SecTrustSetAnchorCertificates' and override hostname by 'SecPolicyCreateSSL(true, name as CFString)'.
And everything works fine till iOS13 where there are new requirements which we didn't meet:
- TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate.
DNS names in the CommonName of a certificate are no longer trusted.
- TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
So now we added new extensions to our certificates, like so:
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:s-connect-12345678Now everything works again, but I'm not sure if this is correct approach.
As I anderstand, we can treat SAN DNS name just like Common Name elier?
Is it ok to set common name as SAN DNS? And then override hostname using 'SecPolicyCreateSSL(true, "s-connect-12345678")' (We communicate with device by IP address)
BTW. Can we use 'SecTrustSetPolicies(trust, newTrustPolicies)' in iOS now instead?
Thanks,
Tomasz Trela
