Login/Register
Continuously getting kSecTrustResultRecoverableTrustFailure while trust evaluation - iphone
Asked Answered
ios4sslcertificatesecurity-framework
H

1

5

I want to securely communicate with my server and here is what I am doing...

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];

    SecTrustSetAnchorCertificates(trust,
                                  (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);    

OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);

SecTrustResultType trustResult = 0;

if (status == noErr) {
    status = SecTrustEvaluate(trust, &trustResult);
}

    NSLog(@"Trust I get: %d", trustResult);
[certs release];

if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSLog(@"Recoverable Failure");
    CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
    CFDateRef newDate;

    trustTime = SecTrustGetVerifyTime(trust);             
    timeIncrement = 31536000;                               
    currentTime = CFAbsoluteTimeGetCurrent();              
    newTime = currentTime - timeIncrement;                  
    if (trustTime - newTime){                               
        newDate = CFDateCreate(NULL, newTime);              
        SecTrustSetVerifyDate(trust, newDate);            
        status = SecTrustEvaluate(trust, &trustResult);   
    }
    NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here

}

Anybody has idea why it is happening... Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.

thank you

al

Houseless answered 17/3, 2011 at 15:7 Comment(0)
L
5

SecTrustResultRecoverableTrustFailure happens if

  • the certificate is md5 hashed (IOS5)
  • the server does not present the root and intermediate certificates
  • the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
  • the certificate is expired
  • ?

I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.

By configuring my apache mod_ssl: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

Lonilonier answered 14/10, 2011 at 6:58 Comment(3)
how to configure apache server to send the whole certificate chain?Orella
can anyone answer the newguy's question? I am in the same boat as he is.. ThanksProstitute
Depends on what webserver you use. httpd.apache.org/docs/2.2/mod/… might help you for apache.Lonilonier

© 2022 - 2024 — McMap. All rights reserved.