iOS 18.4 introduced some requirements on the Key Usage of 802.1x server certificates, as described here. https://support.apple.com/en-us/121158
When using TLS_ECDHE_RSA or TLS_DHE_RSA cipher suites, 802.1X server certificates containing a Key Usage extension must have Digital Signature key usage set.
When using the TLS_RSA cipher suite, 802.1X server certificates containing a Key Usage extension must have Key Encipherment key usage set.
It reads like the change is supposed to affect 802.1x only. However, we have found out that the new restrictions are actually imposed on all TLS connections using the Network framework, including in Safari.
Unlike other certificate errors which can be either ignored by users (as in Safari) or by code (via sec_protocol_options_set_verify_block), these new ones can't. Even if passing completion(true) in the TLS verification block, the connection still ends up in waiting state with error -9830: illegal parameter.
I understand that these requirements are valid ones but as a generic TLS library I also expect that Network framework could at least allow overriding the behavior. The current treatment is not consistent with those on other certificate errors.
Since I can't upload certificates, here is how to reproduce a certificate that fails.
- Create a OpenSSL config file
test.cnf
[ req ]
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_ca
prompt = no
[ dn ]
CN = example.com
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
- Generate certificate and private key
openssl req -x509 -new -nodes -keyout key.pem -out cert.pem -days 365 -config test.cnf
And here is the client code to test.
// Target server and port
let host = NWEndpoint.Host("example.com")
let port = NWEndpoint.Port("443")!
// Configure insecure TLS options
let tlsOptions = NWProtocolTLS.Options()
sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { _, _, completion in
// Always trust
completion(true)
}, DispatchQueue.global())
let params = NWParameters(tls: tlsOptions)
let connection = NWConnection(host: .init(host), port: .init(rawValue: port)!, using: params)
connection.stateUpdateHandler = { newState in
switch newState {
case .ready:
print("TLS connection established")
case .failed(let error):
print("Connection failed: \(error)")
case .cancelled:
print("Connection canceled")
case .preparing:
print("Connection preparing")
case .waiting(let error):
print("Connection waiting: \(error)")
case .setup:
print("Connection setup")
default:
break
}
}
connection.start(queue: .global())
Output
Connection preparing
Connection waiting: -9830: illegal parameter
Previously reported as FB17099740
iOS 18.4 introduced some requirements on the Key Usage of 802.1x server certificates, as described here.
Cool. Time to update my Networking Resources post (-:
It reads like the change is supposed to affect 802.1x only. However, we have found out that the new restrictions are actually imposed on all TLS connections using the Network framework, including in Safari.
Interesting. I’m not sure if that’s expected or not but, if it’s causing grief, then this:
Previously reported as FB17099740
is definitely the best path forward.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"