Menu
I've added an SSL certificate (from godaddy, but also tried rapidssl) to a website.
Safari, and IE can both browse to https:// and report that the certificate is valid, with no warnings. If, however, I try to browse to the same address from an iPhone I get an invalid certificate error. I'm using heroku as a host for the website in question.
Has anybody seen this? I'm stumped why 2 different iphones would fail to do this, but desktop browsers are just fine...
364
The Secure Sockets Layer (SSL) provides encryption for TCP/IP connections as they transit the Internet and local networks between a client and a server. In the case of iPhone email, SSL encrypts all of the communication between your phone and your mail server.
SSL is Encryption: You are getting this message because you are trying to connect using encryption. So, if connected to an encrypted (secure) connection, then disconnect from it. Such connections come from Security Software. So, remove Security Software from your iPhone.
If you want to turn on SSL/TLS trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).
The problem here turned out to be that the iPhone does not support Server Name Indication (SNI), which is required to make SNI SSL from heroku to work. (EDIT) It is now supported on iOS 3.2 onwards.
You can confirm SNI by going to the following URL from Safari on the phone:
https://sni.velox.ch
I figured out I can set the following SSL setting in the iphone client:
kCFStreamSSLPeerName = Null
... and this fixes the problem. But I haven't figured out yet how this affects security - the docs aren't very clear.
As far as I understand this, when you setup a custom domain on a cloud host such as heroku, it points to a proxy, and that name doesn't match your certificate host name. Browsers such as Safari and IE support SNI, and know how to figure this out - but the phone doesn't.
As I said above, this is less of an issue now, unless you are supporting iOS 3.1.3 or less...
132
You also need to reference the intermediate certificate so that you have the entire certificate chain back to the root certificate.
See this blog post for a description of the same problem and how he solved it for Apache.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
