iOS 13 TLS issue
Asked Answered
C

2

32

I have installed iOS 13 beta version and run my framework which contains a lot of network requests, but I got this error:

2019-09-19 15:01:33.566811+0200 ---[395:25439] Connection 4: default TLS Trust evaluation failed(-9814)
2019-09-19 15:01:33.567022+0200 ---[395:25439] Connection 4: TLS Trust encountered error 3:-9814
2019-09-19 15:01:33.567110+0200 ---[395:25439] Connection 4: encountered error(3:-9814)
2019-09-19 15:01:33.569824+0200 ---[395:25439] Connection 4: unable to determine interface type without an established connection
2019-09-19 15:01:33.584952+0200 ---[395:25439] Task <D97FD611-0B48-4DCE-99C9-6A971E5E6524>.<4> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9814])

I tried to find out what cause that problem with no success. Can anyone help me?

Churl answered 19/9, 2019 at 13:8 Comment(3)
Something suspicious about this question. The "non-answers" are being upvoted which suggests collusion of some sort.Bellboy
@Bellboy and the answers are from "new" users - it is unlikely that they just accidentally find this question and decide to post a non-answer, did you flag for mod attention yet?Toxemia
@Toxemia I did, yes.Bellboy
B
38

Apple has defined stricter rules for TLS server certificates, starting from iOS 13 and macOS 10.15.

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.

TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

And the final note:

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Borman answered 19/9, 2019 at 13:17 Comment(5)
is there any way we can validate our old Certificates and understand which all pointers are going wrong.Prat
Please help on this. How to validate self signed certificates we are using.Basham
I have an application which is running fine until iOS 13. I got this TLS issue. Is there anyway to bypass this in iOS side because I can't change anything in my server now.Bailee
@HussainChhatriwala Check my answer, please.Brennabrennan
@Basham Check my answer, please.Brennabrennan
B
13

I'm going to add some additional information. To check that your certificate is valid you can open it in Keychain Access and check that it contains correct information:

  • It expires in less than 825 days;
  • Signature algorithm isn't SHA-1 (SHA-256, probably);
  • Public key size isn't smaller than 2048 bits;
  • There's Extended Key Usage extension with "Server Authentication" purpose;
  • There's Subject Alternative Name extension that contains server's DNS.

enter image description here

Config example for OpenSSL:

[ ca ]
default_ca = CA_default
[ CA_default ]
default_md = sha256
default_days = 825
[ req ]
prompt             = no
default_bits       = 4096
distinguished_name = req_distinguished_name
x509_extensions     = req_ext
[ req_distinguished_name ]
countryName                = ...
stateOrProvinceName        = ...
localityName               = ...
organizationName           = ...
commonName                 = google.com
[ req_ext ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = google.com
DNS.2 = www.google.com

To generate new key-certificate pair run this command:

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -out certificate.crt -days 825 -config config.cnf
Brennabrennan answered 11/11, 2019 at 5:1 Comment(1)
I can not find self-signed root certificate in my Keychain, how to create new one? Please help.Lawlor

© 2022 - 2024 — McMap. All rights reserved.