CODEWITHSUNDEEP
ios4sslcertificatesecurity-framework
Deam
Deam

Reputation: 1007

Continuously getting kSecTrustResultRecoverableTrustFailure while trust evaluation - iphone

I want to securely communicate with my server and here is what I am doing...

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];

    SecTrustSetAnchorCertificates(trust,
                                  (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);    

OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);

SecTrustResultType trustResult = 0;

if (status == noErr) {
    status = SecTrustEvaluate(trust, &trustResult);
}

    NSLog(@"Trust I get: %d", trustResult);
[certs release];

if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSLog(@"Recoverable Failure");
    CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
    CFDateRef newDate;

    trustTime = SecTrustGetVerifyTime(trust);             
    timeIncrement = 31536000;                               
    currentTime = CFAbsoluteTimeGetCurrent();              
    newTime = currentTime - timeIncrement;                  
    if (trustTime - newTime){                               
        newDate = CFDateCreate(NULL, newTime);              
        SecTrustSetVerifyDate(trust, newDate);            
        status = SecTrustEvaluate(trust, &trustResult);   
    }
    NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here

}

Anybody has idea why it is happening... Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.

thank you

al

Upvotes: 5

Views: 2599

Answers (1)

n3utrino
n3utrino

Reputation: 2381

SecTrustResultRecoverableTrustFailure happens if

  • the certificate is md5 hashed (IOS5)
  • the server does not present the root and intermediate certificates
  • the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
  • the certificate is expired
  • ?

I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.

By configuring my apache mod_ssl: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

Upvotes: 5

Related Questions