I want to securely communicate with my server and here is what I am doing... <pre class="prettyprint"><code>NSURLProtectionSpace *protectionSpace = [challenge protectionSpace]; SecTrustRef trust = [protectionSpace serverTrust]; NSURLCredential *credential = [NSURLCredential credentialForTrust:trust]; SecPolicyRef myPolicy = SecPolicyCreateBasicX509(); NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert. credential = [NSURLCredential credentialForTrust:trust]; SecTrustSetAnchorCertificates(trust, (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]); OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust); SecTrustResultType trustResult = 0; if (status == noErr) { status = SecTrustEvaluate(trust, &trustResult); } NSLog(@"Trust I get: %d", trustResult); [certs release]; if (trustResult == kSecTrustResultRecoverableTrustFailure) { NSLog(@"Recoverable Failure"); CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime; CFDateRef newDate; trustTime = SecTrustGetVerifyTime(trust); timeIncrement = 31536000; currentTime = CFAbsoluteTimeGetCurrent(); newTime = currentTime - timeIncrement; if (trustTime - newTime){ newDate = CFDateCreate(NULL, newTime); SecTrustSetVerifyDate(trust, newDate); status = SecTrustEvaluate(trust, &trustResult); } NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here } </code></pre> Anybody has idea why it is happening... Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason. thank you al

<code>SecTrustResultRecoverableTrustFailure</code> happens if <ul> <li>the certificate is md5 hashed (IOS5)</li> <li>the server does not present the root and intermediate certificates</li> <li>the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates</li> <li>the certificate is expired</li> <li>?</li> </ul> I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate. By configuring my apache mod_ssl: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

Continuously getting kSecTrustResultRecoverableTrustFailure while trust evaluation

I want to securely communicate with my server and here is what I am doing...

NSURLProtectionSpace *protectionSpace = [challenge protectionSpace];
SecTrustRef trust = [protectionSpace serverTrust];
NSURLCredential *credential = [NSURLCredential credentialForTrust:trust];

    SecPolicyRef myPolicy = SecPolicyCreateBasicX509();

NSArray * certs = [[NSArray alloc] initWithObjects:(id)certificate,nil]; //certificate is my server's cert.
credential = [NSURLCredential credentialForTrust:trust];

    SecTrustSetAnchorCertificates(trust,
                                  (CFArrayRef) [NSArray arrayWithObject:(id) certificate ]);    

OSStatus status = SecTrustCreateWithCertificates(certs, myPolicy, &trust);

SecTrustResultType trustResult = 0;

if (status == noErr) {
    status = SecTrustEvaluate(trust, &trustResult);
}

    NSLog(@"Trust I get: %d", trustResult);
[certs release];

if (trustResult == kSecTrustResultRecoverableTrustFailure) {
    NSLog(@"Recoverable Failure");
    CFAbsoluteTime trustTime,currentTime,timeIncrement,newTime;
    CFDateRef newDate;

    trustTime = SecTrustGetVerifyTime(trust);             
    timeIncrement = 31536000;                               
    currentTime = CFAbsoluteTimeGetCurrent();              
    newTime = currentTime - timeIncrement;                  
    if (trustTime - newTime){                               
        newDate = CFDateCreate(NULL, newTime);              
        SecTrustSetVerifyDate(trust, newDate);            
        status = SecTrustEvaluate(trust, &trustResult);   
    }
    NSLog(@"Trust again:%d", trustResult);// AGAIN kSecTrustResultRecoverableTrustFailure(5) over here

}

Anybody has idea why it is happening... Seems it is not about the expiration of the certificate (which is not in reality as well) but could be the reason.

thank you

al

How do I fix certificate not trusted on iPhone?

If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).

What does server trust failure mean?

If this trust evaluation fails, the client refuses to connect. This can happen for a variety of reasons, some benign—the server might be using a self-signed certificate, an intermediate certificate is missing, and so on—and some malicious—the server is an impostor, looking to steal the user's data.

What is certificate trust settings iPhone?

An iPhone and iPad can update certificates wirelessly if any of the preinstalled root certificates become compromised. You can disable this feature using the mobile device management (MDM) restriction, “Allow automatic updates to certificate trust settings,” which prevents wireless certificate updates.

How do I find trusted certificates on my iPhone?

You can find certificates installed on your device in Settings → General → About → Certificate Trust Settings.

SecTrustResultRecoverableTrustFailure happens if

the certificate is md5 hashed (IOS5)
the server does not present the root and intermediate certificates
the SecTrustSetAnchorCertificatesOnly(trust,YES) is set and the anchor certificate is only in the built in anchor certificates
the certificate is expired
?

I solved my problem by configuring the webserver to send the whole certificate chain instead of only the server certificate.

By configuring my apache mod_ssl: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile

Continuously getting kSecTrustResultRecoverableTrustFailure while trust evaluation - iphone

Tags:

certificate

ssl

ios4

security-framework

Deam

People also ask

1 Answers

n3utrino

Recent Activity

Donate For Us