iOS 10.2 problems with SSL/TLS connections

[d4gli]

Hi everyone,

after upgrading to iOS 10.2 (final) I'm expecting several problems connecting to SSL/TLS services. This includes HTTPS, SMTP, IMAPS, [...]. Pre 10.2 devices are still running und syncing, but every 10.2 device runs in connection troubles on every secure layer protocol.

The server systems are configured with DNSSec, TLSA, 4k RSA cert, 4k DH key for PFS. Root CA is known and imported on every device. The problem came straight up after upgrade on every device. Even a fresh installation doesn't solve this; it seems to belong only to 10.2. I can't find any related points in the actual changelog.

Anyone else?

 

[d4gli]

Alright, this belongs to my used certificates from StartCom CA. With ios 10.2 and even with the new macOS Sierra 10.12.2, the SubCA 'StartCom Class 1 DV Server CA' got revoked in keystore (iOS won't display any warning, error message or sth. like that).

Edit:
After I knew to look at I found:
"Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC."
I can confirm latest iOS 10.2 enforces this. SSL requests will fail immediately.
https://support.apple.com/en-us/HT204132

 

[JPOWA]

So we can't do anything right?

 

[d4gli]

So we can't do anything right?

Not yet, except of switching to another CA (we trmporary switched to our own and deployed our Root CA to 80+ devices).

 

[JPOWA]

I have problems with opening some https websites :/

 

[d4gli]

I have problems with opening some https websites :/

sure, it'll be related to DV signed sites by StartCom & WoSign.

 

[friednoodles]

In addition to Apple's support note, for those who might want to read a bit more background on why this was done:

https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/