How to Handle revoked SSL certificate on iOS?
I need to identify and restrict calls to the server (web service) if server certificate is revoked.
I am able to restrict the service call if certificate is “invalid", but if the certificate is “revoked” the restriction is not working.
Case 1: (Working)
URL: https://www.drobnik.com/
For this URL, certificate is “untrusted” (firefox Error code: ssl_error_bad_cert_domain). In this case, restriction from NSURLConnection is working fine, i.e. request is getting terminated.
For untrusted certificate i.e. www.drobnik.com, NSURLConnectionDelegate method - (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)pError gets called. The error object is as below.
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid.
Case 2: (Not Working)
URL: https://revoked.grc.com/
For this URL, certificate is “revoked” (firefox Error code: sec_error_revoked_certificate). In this case, restriction from NSURLConnection is not working, i.e. request is still continuing and fetching data from server.
For revoked certificate i.e. revoked.grc.com, “connection: didFailWithError:” method is “not” getting called.
This technical note may be helpful as it outlines the various errors for Server Trust.
https://developer.apple.com/library/ios/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884-CH1-SECTRUSTERRORS
1202 is correct code NSURLErrorServerCertificateUntrusted for the Invalid case which is what you are getting. For Revoke case technically I think the certificate is not invalid so you may have to then specifically use SecTrustEvaluate() and check the error code kSecTrustResultOtherError on that.
See this reference below which talks about the revocation scenario.
https://developer.apple.com/library/ios/documentation/Security/Reference/SecurityFrameworkReference/SecurityFrameworkReference.pdf
I am able to restrict the service call if certificate is “invalid", but if the certificate is “revoked” the restriction is not working.
Case 1: (Working)
URL: https://www.drobnik.com/
For this URL, certificate is “untrusted” (firefox Error code: ssl_error_bad_cert_domain). In this case, restriction from NSURLConnection is working fine, i.e. request is getting terminated.
For untrusted certificate i.e. www.drobnik.com, NSURLConnectionDelegate method - (void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)pError gets called. The error object is as below.
Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid.
Case 2: (Not Working)
URL: https://revoked.grc.com/
For this URL, certificate is “revoked” (firefox Error code: sec_error_revoked_certificate). In this case, restriction from NSURLConnection is not working, i.e. request is still continuing and fetching data from server.
For revoked certificate i.e. revoked.grc.com, “connection: didFailWithError:” method is “not” getting called.
This technical note may be helpful as it outlines the various errors for Server Trust.
https://developer.apple.com/library/ios/technotes/tn2232/_index.html#//apple_ref/doc/uid/DTS40012884-CH1-SECTRUSTERRORS
1202 is correct code NSURLErrorServerCertificateUntrusted for the Invalid case which is what you are getting. For Revoke case technically I think the certificate is not invalid so you may have to then specifically use SecTrustEvaluate() and check the error code kSecTrustResultOtherError on that.
See this reference below which talks about the revocation scenario.
https://developer.apple.com/library/ios/documentation/Security/Reference/SecurityFrameworkReference/SecurityFrameworkReference.pdf
Comments
Post a Comment