tags:

views:

1008

answers:

4
Q: 

SSL problem on iPhone

I've added an SSL certificate (from godaddy, but also tried rapidssl) to a website.

Safari, and IE can both browse to https:// and report that the certificate is valid, with no warnings. If, however, I try to browse to the same address from an iPhone I get an invalid certificate error. I'm using heroku as a host for the website in question.

Has anybody seen this? I'm stumped why 2 different iphones would fail to do this, but desktop browsers are just fine...

A: 

Simply because those two certificate authorities are not in the trusted certificate store of the iPhone, but they are for Windows, firefox, etc.

EDIT:

I'm guessing the previous poster is correct, you are not bundling the intermediate certs. You certificate might have been signed by rapidssl.com, but rapidssl.com's certificate was signed by Equifax. Every certificate has an Issuer Name field and a Subject Name field; think of these as a pair of names (X,Y). Your certificate's subject name reflects your website name, and it was signed by rapidssl, so that pair is something like (rapidssl, www.whatever.com). The rapidssl cert was signed by equifax, so that would make the pair (equifax, rapidssl). And the equifax cert might have (equifax, equifax). The root cert should have the same issuer and subject name. As you can see, this forms a chain of the form (A,A) (A,B) (B,C) (C,D) .... for however long it goes. It is rarely longer than 3. The rule for SSL is that you should send every certificate in the chain except the root certificate. Some clients may already have the intermediate cert(s), but you should never count on that.

GregS  2009-12-30 15:33:56
Both providers are in the certificate store, according to apple:http://support.apple.com/kb/HT3580
cmaughan  2009-12-30 15:38:24
what does the certificate chain look like up to your certificate? I'm interested in the Issuer and Subject DNs, not including the Subject DN of your cert.
GregS  2009-12-30 18:30:57
The chain is basically 'Equifax Secure Certificate Authority', under which i have my own certificate for the domain. I'm not sure what you mean by 'Subject DNs'?
cmaughan  2009-12-31 08:43:51
Sorry for using jargon. DN is short for "Distinguished Name". Basically, every certificate has a field for the issuer name and another field for the subject name.
GregS  2009-12-31 23:55:22
Hmmm, I don't see the rapidssl ca at that apple.com link
GregS  2010-01-01 00:04:58
+2  A: 

You also need to reference the intermediate certificate so that you have the entire certificate chain back to the root certificate.

See this blog post for a description of the same problem and how he solved it for Apache.

dmercredi  2009-12-30 17:05:58
I did that for the godaddy cert - you just cat together the bundle with your certificate. Note that I said it works just fine on all browsers I've tried, just not the iphone, so pretty sure the certificate is installed correctly.
cmaughan  2009-12-31 08:37:17
I had this same problem (with a Blackberry as well as the iPhone). It was exactly this. The server was just sending the cert and expecting the client to have the intermediate cert as well as the root cert. Mobile devices many times don't have these intermediate certs installed, so the trust chain is broken.
Robert S.  2009-12-31 16:49:33
As an example, my firefox 3.5.6 has a Go Daddy intermediate cert but not the rapidssl intermediate cert.
GregS  2010-01-01 00:02:46
A: 

Godaddy certificates should definitely be trusted on the iPhone (as well as RapidSSL). What is the exact error you are receiving? You can verify that the correct Intermediate certificates are being given out at http://www.sslshopper.com/ssl-checker.html

Robert  2009-12-31 16:45:50
+1  A: 

The problem here turned out to be that the iPhone does not support Server Name Indication (SNI), which is required to make SNI SSL from heroku to work. (EDIT) It is now supported on iOS 3.2 onwards.

You can confirm SNI by going to the following URL from Safari on the phone:

https://sni.velox.ch

I figured out I can set the following SSL setting in the iphone client:

kCFStreamSSLPeerName = Null

... and this fixes the problem. But I haven't figured out yet how this affects security - the docs aren't very clear.

As far as I understand this, when you setup a custom domain on a cloud host such as heroku, it points to a proxy, and that name doesn't match your certificate host name. Browsers such as Safari and IE support SNI, and know how to figure this out - but the phone doesn't.

As I said above, this is less of an issue now, unless you are supporting iOS 3.1.3 or less...

cmaughan  2010-01-02 14:38:22
Thank you for the handy link. FYI just tried it on iOS4 based iphone and it is supported in iOS4. I did not try previous versions.
jdkoftinoff  2010-07-14 13:18:00

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode