RE: [Fed-Talk] Re: SSL Client Certificates on iPhone
RE: [Fed-Talk] Re: SSL Client Certificates on iPhone
- Subject: RE: [Fed-Talk] Re: SSL Client Certificates on iPhone
- From: "Danziger, Alan D." <email@hidden>
- Date: Mon, 1 Feb 2010 17:50:19 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: SSL Client Certificates on iPhone
Shawn, thanks for responding.
Sorry - I thought I'd covered that in the detail that turning off the user auth worked. I do have the CA on the phone.
I have sent the cert and the CA in multiple ways (as an Enterprise Configuration profile, through Email, and through downloading from a web server). Doing so in an iPCU profile shows that it (the cert or ca) has the advantage that it is "Signed" vs. "Unsigned" when installed via email, but I could not tell any difference in functionality by doing so.
My next step, as far as I can tell, will be to carefully read the "Certificate, Key, and Trust Services" Programming Guide and Reference documents and try to 'roll my own' -- but any pointers will be greatly appreciated!
If sending you (Shawn, or anyone else interested) server logs would be helpful, I can definitely do so.
Regards,
-=Alan
-----Original Message-----
From: Shawn A. Geddis [mailto:email@hidden]
Sent: Monday, February 01, 2010 4:48 PM
To: Danziger, Alan D.
Cc: email@hidden Talk
Subject: Re: [Fed-Talk] Re: SSL Client Certificates on iPhone
Alan,
Have not seen any reference of you adding the Self-Signed Root CA Cert
of the presumed Server Cert to the iPhone's credential store. You can
do this multiple ways....
-Shawn
—————————————
Shawn Geddis
Security Consulting Engineer
Commercial & Government
Apple Inc.
Sent from my iPhone
On Feb 1, 2010, at 12:55 PM, "Danziger, Alan D." <email@hidden>
wrote:
> Thanks Tim,
>
> I'm using the default Hello World page at
> /Library/WebServer/Documents/index.html.en
>
> For my testing...
>
>
> On 2/1/10 3:33 PM, "Miller, Timothy J." <email@hidden> wrote:
>
>> How many objects on the page? If it's more than a simple HTML
>> document with
>> no CSS, MobileSafari could be fetching page components in parallel
>> and not
>> properly recalling the user cert selection. Try it with a simple
>> 'hello
>> world' page.
>>
>> -- Tim
>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+tmiller=email@hidden
>>> [mailto:fed-
>>> talk-bounces+tmiller=email@hidden] On Behalf Of
>>> Danziger,
>>> Alan D.
>>> Sent: Monday, February 01, 2010 2:28 PM
>>> To: email@hidden Talk
>>> Subject: [Fed-Talk] SSL Client Certificates on iPhone
>>>
>>> Hi there,
>>>
>>> Has anyone configured mutual authentication with client
>>> certificates on
>>> the iPhone?
>>>
>>> I have a (known-good) user certificate, and a (known-good) server
>>> certificate.
>>>
>>> I have Apache configured to use the server certificate, and to
>>> trust the
>>> CA which signed the user certificate.
>>>
>>> When I hit the server from Firefox on OSX, it works properly -
>>> prompts
>>> me once for which certificate to use, returns my content, no
>>> problem.
>>>
>>> When I hit the server from Safari on OSX, it works properly -
>>> prompts me
>>> once for which certificate to use, [stores that as an identity
>>> preference?,] returns my content, no problem.
>>>
>>> When I hit the server from MobileSafari on iPhone (3.1.2), it does
>>> NOT
>>> work "properly". It prompts me 3 times for which certificate to
>>> use,
>>> after which it returns my content, but that's a problem.
>>>
>>>
>>> I have Apache debug logs showing this, I have openssl s_server logs
>>> showing this, and I'd be happy to talk to anyone who has
>>> suggestions for
>>> me to try.
>>>
>>>
>>> Other data points:
>>> - Apache server is running on a Mac Mini, 10.6.2
>>> - If I disable client authentication, MobileSafari can access the
>>> data without problems (thus validating the server cert).
>>>
>>>
>>> Any suggestions?
>>>
>>> Thanks,
>>> -=Alan Danziger
>>> email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden