Re: [Fed-Talk] Re: SSL Client Certificates on iPhone
Re: [Fed-Talk] Re: SSL Client Certificates on iPhone
- Subject: Re: [Fed-Talk] Re: SSL Client Certificates on iPhone
- From: "Danziger, Alan D." <email@hidden>
- Date: Mon, 8 Feb 2010 12:01:21 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Re: SSL Client Certificates on iPhone
Following up on my own message...
I still don't understand why MobileSafari has the behavior it does
(prompting 3 times for the certificate, then working), but I have resolved
the issue within my own application, and will (at some point in the
hopefully near future) be posting an application that can be handed a SSL
client certificate, and use that certificate to download a file from a
specified URL -- it might be of interest to someone else...
The quick summary, though, is:
- It is not possible for a non-Apple iPhone app to access a client
certificate that is loaded onto the phone via a Configuration Profile.
- Some of the URL loading capabilities provided by iPhone OS can be given
'credentials', and others can't. Apparently, none of the synchronous
methods can.
Regards,
-=Alan
On 2/1/10 5:50 PM, "Alan Danziger" <email@hidden> wrote:
> Shawn, thanks for responding.
>
> Sorry - I thought I'd covered that in the detail that turning off the user
> auth worked. I do have the CA on the phone.
>
> I have sent the cert and the CA in multiple ways (as an Enterprise
> Configuration profile, through Email, and through downloading from a web
> server). Doing so in an iPCU profile shows that it (the cert or ca) has the
> advantage that it is "Signed" vs. "Unsigned" when installed via email, but I
> could not tell any difference in functionality by doing so.
>
> My next step, as far as I can tell, will be to carefully read the
> "Certificate, Key, and Trust Services" Programming Guide and Reference
> documents and try to 'roll my own' -- but any pointers will be greatly
> appreciated!
>
> If sending you (Shawn, or anyone else interested) server logs would be
> helpful, I can definitely do so.
>
> Regards,
> -=Alan
>
>
>
> -----Original Message-----
> From: Shawn A. Geddis [mailto:email@hidden]
> Sent: Monday, February 01, 2010 4:48 PM
> To: Danziger, Alan D.
> Cc: email@hidden Talk
> Subject: Re: [Fed-Talk] Re: SSL Client Certificates on iPhone
>
> Alan,
>
> Have not seen any reference of you adding the Self-Signed Root CA Cert
> of the presumed Server Cert to the iPhone's credential store. You can
> do this multiple ways....
>
> -Shawn
> ‹‹‹‹‹‹‹‹‹‹‹‹‹
> Shawn Geddis
> Security Consulting Engineer
> Commercial & Government
> Apple Inc.
>
> Sent from my iPhone
>
> On Feb 1, 2010, at 12:55 PM, "Danziger, Alan D." <email@hidden>
> wrote:
>
>> Thanks Tim,
>>
>> I'm using the default Hello World page at
>> /Library/WebServer/Documents/index.html.en
>>
>> For my testing...
>>
>>
>> On 2/1/10 3:33 PM, "Miller, Timothy J." <email@hidden> wrote:
>>
>>> How many objects on the page? If it's more than a simple HTML
>>> document with
>>> no CSS, MobileSafari could be fetching page components in parallel
>>> and not
>>> properly recalling the user cert selection. Try it with a simple
>>> 'hello
>>> world' page.
>>>
>>> -- Tim
>>>
>>>> -----Original Message-----
>>>> From: fed-talk-bounces+tmiller=email@hidden
>>>> [mailto:fed-
>>>> talk-bounces+tmiller=email@hidden] On Behalf Of
>>>> Danziger,
>>>> Alan D.
>>>> Sent: Monday, February 01, 2010 2:28 PM
>>>> To: email@hidden Talk
>>>> Subject: [Fed-Talk] SSL Client Certificates on iPhone
>>>>
>>>> Hi there,
>>>>
>>>> Has anyone configured mutual authentication with client
>>>> certificates on
>>>> the iPhone?
>>>>
>>>> I have a (known-good) user certificate, and a (known-good) server
>>>> certificate.
>>>>
>>>> I have Apache configured to use the server certificate, and to
>>>> trust the
>>>> CA which signed the user certificate.
>>>>
>>>> When I hit the server from Firefox on OSX, it works properly -
>>>> prompts
>>>> me once for which certificate to use, returns my content, no
>>>> problem.
>>>>
>>>> When I hit the server from Safari on OSX, it works properly -
>>>> prompts me
>>>> once for which certificate to use, [stores that as an identity
>>>> preference?,] returns my content, no problem.
>>>>
>>>> When I hit the server from MobileSafari on iPhone (3.1.2), it does
>>>> NOT
>>>> work "properly". It prompts me 3 times for which certificate to
>>>> use,
>>>> after which it returns my content, but that's a problem.
>>>>
>>>>
>>>> I have Apache debug logs showing this, I have openssl s_server logs
>>>> showing this, and I'd be happy to talk to anyone who has
>>>> suggestions for
>>>> me to try.
>>>>
>>>>
>>>> Other data points:
>>>> - Apache server is running on a Mac Mini, 10.6.2
>>>> - If I disable client authentication, MobileSafari can access the
>>>> data without problems (thus validating the server cert).
>>>>
>>>>
>>>> Any suggestions?
>>>>
>>>> Thanks,
>>>> -=Alan Danziger
>>>> email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden