Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL problem on iPhone

Tags:

https

ssl

iphone

I've added an SSL certificate (from godaddy, but also tried rapidssl) to a website.

Safari, and IE can both browse to https:// and report that the certificate is valid, with no warnings. If, however, I try to browse to the same address from an iPhone I get an invalid certificate error. I'm using heroku as a host for the website in question.

Has anybody seen this? I'm stumped why 2 different iphones would fail to do this, but desktop browsers are just fine...

like image 364
cmaughan Avatar asked Dec 30 '09 15:12

cmaughan

People also ask

What is SSL mean on iPhone?

The Secure Sockets Layer (SSL) provides encryption for TCP/IP connections as they transit the Internet and local networks between a client and a server. In the case of iPhone email, SSL encrypts all of the communication between your phone and your mail server.

Why does my iPhone say Cannot connect using SSL?

SSL is Encryption: You are getting this message because you are trying to connect using encryption. So, if connected to an encrypted (secure) connection, then disconnect from it. Such connections come from Security Software. So, remove Security Software from your iPhone.

How do I enable SSL on my iPhone?

If you want to turn on SSL/TLS trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate. Apple recommends deploying certificates via Apple Configurator or Mobile Device Management (MDM).

2 Answers

The problem here turned out to be that the iPhone does not support Server Name Indication (SNI), which is required to make SNI SSL from heroku to work. (EDIT) It is now supported on iOS 3.2 onwards.

You can confirm SNI by going to the following URL from Safari on the phone:

https://sni.velox.ch

I figured out I can set the following SSL setting in the iphone client:

kCFStreamSSLPeerName = Null

... and this fixes the problem. But I haven't figured out yet how this affects security - the docs aren't very clear.

As far as I understand this, when you setup a custom domain on a cloud host such as heroku, it points to a proxy, and that name doesn't match your certificate host name. Browsers such as Safari and IE support SNI, and know how to figure this out - but the phone doesn't.

As I said above, this is less of an issue now, unless you are supporting iOS 3.1.3 or less...

like image 132
cmaughan Avatar answered Oct 24 '22 06:10

cmaughan

You also need to reference the intermediate certificate so that you have the entire certificate chain back to the root certificate.

See this blog post for a description of the same problem and how he solved it for Apache.

like image 31
dmercredi Avatar answered Oct 24 '22 07:10

dmercredi
Sign in to Comment

Related questions

Is the data stored using NSUserDefaults deleted when the app is updated?
Error message when migrating Core Data store
Declaring NSDictionary and put it key value pair in Swift?
iPhone configuration utility failed to locate 'Apple Mobile Device Support'
How to create a button to change the camera view in Swift?
Xcode 6.4 Export Adhoc "Session has expired"
XMPP app terminate and not recive message
Changing Auto Layout constant doesn't update its frame
UISelectionFeedbackGenerator() not working on iPhone 7
Swift 3 - Open App Store Review Tab Directly (NOT the iTunes Store Review Tab) [duplicate]
How to tint a UIButton?
How to display text using Quartz on the iPhone?
Legality of sampled sound clips in an iPhone app [closed]
iPhone WebApp cache
Some beginner Objective-C/iPhone questions
How can I write a function in objective-c, that I can use over any object in my iPhone app?
Handling touchesBegan in UITableViewCell disables didSelectRowAtIndexPath
Testing iPhone app with limited network access
Implement animation in UIButton
check if a user allows the app to use their location

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!