Relaxing the validation of server certificates when using self-signed embedded certs#82
Open
kkieffer wants to merge 1 commit intoKitura:masterfrom
Open
Relaxing the validation of server certificates when using self-signed embedded certs#82kkieffer wants to merge 1 commit intoKitura:masterfrom
kkieffer wants to merge 1 commit intoKitura:masterfrom
Conversation
Contributor
Author
|
Just checking in to see if there are any comments/questions on this PR.... |
Contributor
Contributor
Author
|
@billabt would you review? |
|
|
|
Kudos, SonarCloud Quality Gate passed!
|
…signed (pinned) certificates using the x509 policy. The SSL policy adds hostname validation, and on ios13 additional restrictions in valid dates which aren't applicable when the client already has the server certificate. This modification allows for IP hostnames and self-signed certificates with longer validity before expiration. Also update the README to include using embedded self-signed certs.
Contributor
|
@kkieffer Would you be able to include unit tests to show that it relaxes self-signed certs but does not relax non-self signed certs? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using embedded self-signed (pinned) certificates, the default validation is to use the SSL policy, which is more restrictive than necessary. In addition to validating the x509 certificate, the SSL policy checks that the hostname you are connecting to is listed on the certificate. In iOS13 and MacOS Catalina, Apple has increased the certificate requirements. The hostname must be in the subject alternative field, and the certificate cannot be valid for more than 825 days.
When using certificate pinning, checking the hostname is not necessary because the client is only using the embedded cert for verification (see https://tools.ietf.org/html/rfc2818#section-3.1). Checking the hostname also precludes connecting to a server by IP address instead of a hostname.
To provide flexibility for self-signed certificates, this pull request changes the trust policy from SSL to x509 only when evaluating self-signed certificates.
Also updated the README to describe using embedded self-signed certs.
Motivation and Context
Relaxes certificate requirements that aren't necessary for pinned self-signed certs.
How Has This Been Tested?
Running swift tests, all tests pass. Have also validated against my own server using a self-signed cert that doesn't pass the requirements in ios13.
Checklist: