iOS client fails server verification / authentication with f5 BigIP only when server requires client certificate

Question

I am running into a strange error in my iOS client when attempting to connect to an f5 BigIP server via 2-way SSL (HTTPS) - the client is able to verify the server via its certificate only when the server is not requiring a client certificate during the SSL negotiation. The certificate for the Root CA that signed the server and my client certificates is already in my trusted anchor certs list.

Here are the steps in each test that I have attempted, and their SSL negotiation outcomes:

1. Server does NOT require client cert, client verifies server cert (1-way ssl: client -> server)
   • Client verifies server certificate (pass)
   • Client provides its cert to server (unchecked - not required by server)
   • Connection established, server allows client access
2. Server requires client cert, client verifies server cert (2-way SSL: client <-> server)
   • Client verifies server cert (FAIL!!)
   • Nothing else happens
3. Server requires client cert, client accepts any server as trusted (1-way SSL: client <- server)
   • Client does NOT verify server cert (setAllowsAnyHTTPSCertificate:YES - done for testing purposes only)
   • Client provides its cert to server (pass)
   • Connection established, server allows client access

Between cases 1 and 2, only the server is changed to require client certs (thereby enabling 2-way SSL), while the client verifies the server cert in both cases. Between cases 2 and 3, the client is changed to accept all server certs while the server requires a client certificate in both cases.

So it appears that I am only able to achieve 1-way SSL in either direction but not 2-way SSL. This is strange because as the initial step where the client verifies the server should happen before the server asks for a client certificate, and therefore produce the same result each time. The error I get from test case 2 is as follows:

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “server.myexample.com” which could put your confidential information at risk. Error occurred while fetching https://server.myexample.com/service: Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “server.myexample.com” which could put your confidential information at risk.

I get additional messages with the same info but specifying the errors: NSErrorFailingURLStringKey, NSErrorFailingURLKey, NSUnderlyingError, and NSURLErrorFailingURLPeerTrustErrorKey.

I don't believe I need a different server certificate for 2-way vs 1-way SSL, or do I?

Thanks in advance!

Answer 1

The problem was that I had the client request in an iRule on the f5 server. I removed this part of the iRule and added the request into the client SSL profile. This appears to work with the iOS client, meaning there is probably something strange with the iOS code since all browsers I have tested work either way I make the request (either iRule or client SSL profile). The iOS app only works with making the request in the client SSL profile.