iOS 10.2 problems with SSL/TLS connections

Discussion in 'iOS 10' started by d4gli, Dec 13, 2016.

  1. d4gli macrumors member

    d4gli

    Joined:
    Jun 15, 2016
    #1
    Hi everyone,

    after upgrading to iOS 10.2 (final) I'm expecting several problems connecting to SSL/TLS services. This includes HTTPS, SMTP, IMAPS, [...]. Pre 10.2 devices are still running und syncing, but every 10.2 device runs in connection troubles on every secure layer protocol.

    The server systems are configured with DNSSec, TLSA, 4k RSA cert, 4k DH key for PFS. Root CA is known and imported on every device. The problem came straight up after upgrade on every device. Even a fresh installation doesn't solve this; it seems to belong only to 10.2. I can't find any related points in the actual changelog.

    Anyone else?
     
  2. d4gli, Dec 13, 2016
    Last edited: Dec 13, 2016

    d4gli thread starter macrumors member

    d4gli

    Joined:
    Jun 15, 2016
    #2
    Alright, this belongs to my used certificates from StartCom CA. With ios 10.2 and even with the new macOS Sierra 10.12.2, the SubCA 'StartCom Class 1 DV Server CA' got revoked in keystore (iOS won't display any warning, error message or sth. like that).

    Edit:
    After I knew to look at I found:
    "Apple products will block certificates from WoSign and StartCom root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC."
    I can confirm latest iOS 10.2 enforces this. SSL requests will fail immediately.
    https://support.apple.com/en-us/HT204132
     
  3. JPOWA macrumors regular

    Joined:
    Jun 29, 2010
  4. d4gli thread starter macrumors member

    d4gli

    Joined:
    Jun 15, 2016
    #4
    Not yet, except of switching to another CA (we trmporary switched to our own and deployed our Root CA to 80+ devices).
     
  5. JPOWA macrumors regular

    Joined:
    Jun 29, 2010
    #5
    I have problems with opening some https websites :/
     
  6. d4gli thread starter macrumors member

    d4gli

    Joined:
    Jun 15, 2016
    #6
    sure, it'll be related to DV signed sites by StartCom & WoSign.
     

Share This Page