Why is my server certificate being rejected?

Question

I am trying to connect my app to a server using TLS 1.2. The server is using a certificate that has been signed by a self-signed CA certificate that is already installed on the device (I emailed the CA certificate to myself, tapped it. Now it shows up under Settings -> General -> Profiles). This was previously working in my app, but we have changed the CA certificate we're using so I've updated the server's certificate as well. Now I'm getting SSL failures.

The error I'm seeing is errSSLXCertChainInvalid from my call to SSLHandshake on the client. As far as I can tell, the server certificate should be valid. openssl verify -CAfile ca-cert.pem server-cert.pem returns OK, and that ca-cert.pem is the same CA certificate I've installed on the device.

Any ideas? Thanks!

Answer 1

There's some information in apple's documentation regarding this error:

errSSLXCertChainInvalid — The peer has an invalid certificate chain; for example, signature verification within the chain failed, or no certificates were found.

And if you use SSLSetPeerDomainName:

You can use this function to verify the common name field in the peer’s certificate. If you call this function and the common name in the certificate does not match the value you specify in the peerName parameter, then handshake fails and returns errSSLXCertChainInvalid.

I'd suggest uninstalling your device configuration profile, and creating a new one.

Also, it might be a good idea to check if you can access the server without errors from, say, a web browser. This will reveal if there is a problem with the certificate, or just your configuration profile on your iOS device.