Hi, I've activated the new subscription notification URL in itunes. Everything goes well, until I configure my server to reject unauthorized client-certificates, at which point the SSL handshake with Apple fails. I need this check to avoid receving requests from sources other than Apple's servers, and I'd hate to resort to things like IP whitelisting or checking that the CN contains *Apple*, etc.
My server runs on clean EC2 using Node.js, I have no explicit CA file configured for my https listener, so I'm assuming the default set of well-known CAs is used by node (right?).
How can I best validate the source of the request?
Thanks
