SSL problem on iPhone

iphone ssl https

14,934

Solution 1

The problem here turned out to be that the iPhone does not support Server Name Indication (SNI), which is required to make SNI SSL from heroku to work. (EDIT) It is now supported on iOS 3.2 onwards.

You can confirm SNI by going to the following URL from Safari on the phone:

https://sni.velox.ch

I figured out I can set the following SSL setting in the iphone client:

kCFStreamSSLPeerName = Null

... and this fixes the problem. But I haven't figured out yet how this affects security - the docs aren't very clear.

As far as I understand this, when you setup a custom domain on a cloud host such as heroku, it points to a proxy, and that name doesn't match your certificate host name. Browsers such as Safari and IE support SNI, and know how to figure this out - but the phone doesn't.

As I said above, this is less of an issue now, unless you are supporting iOS 3.1.3 or less...

Solution 2

You also need to reference the intermediate certificate so that you have the entire certificate chain back to the root certificate.

See this blog post for a description of the same problem and how he solved it for Apache.

Solution 3

Simply because those two certificate authorities are not in the trusted certificate store of the iPhone, but they are for Windows, firefox, etc.

EDIT:

I'm guessing the previous poster is correct, you are not bundling the intermediate certs. You certificate might have been signed by rapidssl.com, but rapidssl.com's certificate was signed by Equifax. Every certificate has an Issuer Name field and a Subject Name field; think of these as a pair of names (X,Y). Your certificate's subject name reflects your website name, and it was signed by rapidssl, so that pair is something like (rapidssl, www.whatever.com). The rapidssl cert was signed by equifax, so that would make the pair (equifax, rapidssl). And the equifax cert might have (equifax, equifax). The root cert should have the same issuer and subject name. As you can see, this forms a chain of the form (A,A) (A,B) (B,C) (C,D) .... for however long it goes. It is rarely longer than 3. The rule for SSL is that you should send every certificate in the chain except the root certificate. Some clients may already have the intermediate cert(s), but you should never count on that.

14,934

Author by

cmaughan

Updated on June 26, 2022

Comments

cmaughan almost 2 years

I've added an SSL certificate (from godaddy, but also tried rapidssl) to a website.

Safari, and IE can both browse to https:// and report that the certificate is valid, with no warnings. If, however, I try to browse to the same address from an iPhone I get an invalid certificate error. I'm using heroku as a host for the website in question.

Has anybody seen this? I'm stumped why 2 different iphones would fail to do this, but desktop browsers are just fine...
cmaughan over 14 years

Both providers are in the certificate store, according to apple: support.apple.com/kb/HT3580
President James K. Polk over 14 years

what does the certificate chain look like up to your certificate? I'm interested in the Issuer and Subject DNs, not including the Subject DN of your cert.
cmaughan over 14 years

I did that for the godaddy cert - you just cat together the bundle with your certificate. Note that I said it works just fine on all browsers I've tried, just not the iphone, so pretty sure the certificate is installed correctly.
cmaughan over 14 years

The chain is basically 'Equifax Secure Certificate Authority', under which i have my own certificate for the domain. I'm not sure what you mean by 'Subject DNs'?
Dave over 14 years

I had this same problem (with a Blackberry as well as the iPhone). It was exactly this. The server was just sending the cert and expecting the client to have the intermediate cert as well as the root cert. Mobile devices many times don't have these intermediate certs installed, so the trust chain is broken.
President James K. Polk over 14 years

Sorry for using jargon. DN is short for "Distinguished Name". Basically, every certificate has a field for the issuer name and another field for the subject name.
President James K. Polk over 14 years

As an example, my firefox 3.5.6 has a Go Daddy intermediate cert but not the rapidssl intermediate cert.
President James K. Polk over 14 years

Hmmm, I don't see the rapidssl ca at that apple.com link
jdkoftinoff almost 14 years

Thank you for the handy link. FYI just tried it on iOS4 based iphone and it is supported in iOS4. I did not try previous versions.
Tom Andersen over 13 years

I think that SNI support is NOT there on the iPad - 3.2.2 Just tried it now. It does work on an iPhone 4.1 and so it should also work on iPad 4.2, it seems. This is on a heroku SNI site that works on everywhere else, cept XP (XP does not support sni)