Reputation: 55
Trust self-signed certificates on iOS 13 for WebSocket over TLS
I have an iOS application running on iOS 13.3 device (iPhone XR) that launches a local websocket server listening on 127.0.0.1:9002 inside my app using Swift NIO Transport Services.
I have a self-signed certificate I use to set up the TLS options within Swift NIO. This certificate matches the requirements specified by Apple here : Requirements for trusted certificates in iOS 13 and macOS 10.15. The Root CA is explicitly trusted on my device and respects also the requirements.
Inside my app, I load a WKWebView that displays the website : https://www.websocket.org/echo.html.
When I try to connect to : wss://127.0.0.1:9002, I always get the same error :
WebSocket network error: The operation couldn't be completed. (OSStatus error -9807.)
Which in the Security framework stands for :
errSSLXCertChainInvalid
I'd like to point out that everything works fine when I try the same steps without TLS.
Any idea what am I doing wrong with my certificates ? I am struggling with it since a couple of days. Thanks.
EDIT: I found the cause of my problem, I forgot to add the full correct chain of certificate on the server side, thus the client could not verify correctly the identity of the server because I had only the server certificate and not the entire certificate chain including the intermediate certificate and the root CA.
Upvotes: 1
Views: 2873
Answers (1)
Reputation: 2862
I created a package to handle sockets written in Obj-C for iOS, and it takes into account the latest TLS restrictions that Apple has imposed (which is the problem you are running into). Check out the github page for my helper class, there is a lot of good info about how to create the certificates correctly given the new restrictions. If you don't, you won't be able to make a handshake.
https://github.com/eamonwhiter73/IOSObjCWebSockets/tree/master
Also, specifically - with your error, it is recognizing that the certificate "chain" (CA->intermediate CA->server certificate) is invalid. Any part of that chain could be causing the problem, and if you aren't using an intermediate CA to sign the server certificate, it also might not work - I never really tested to that point.
Upvotes: 0
Related Questions
- WSS/TLS websocket connection with Swift iOS
- How do I accept a self-signed SSL certificate using iOS 7's NSURLSession
- Secure websockets with self-signed certificate
- How to create iOS NWConnection for TLS with self signed cert?
- Using a self-signed certificate with Safari and websockets (osx/ios)
- Allow self signed certificates using WKWebView
- iOS connect with self-signed TLS/SSL certificate not working
- How to connect using Socket-IO-Swift on a self-signed certificate?
- Call iOS webview HTTPS (self-signed certificate)
- Trust a self-signed certificate for a HTTPS connection