Created
October 13, 2012 20:09
-
-
Save porsager/3885967 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MonoTouch's certificate trust decision is delegate to iOS itself. However it | |
might not match Safari 100% of the time since it seems that Safari does a bit | |
of processing when some things are missing. | |
The 0x5 code being returned maps to kSecTrustResultRecoverableTrustFailure. | |
This means the trust could not be confirmed but that it _could_ be fixed (i.e. | |
it's not refused, but not complete enough to be accepted either). | |
This can happen for several reasons. In this case it seems* related to a | |
missing intermediate CA certificate. The https server is not configured to | |
return the whole certificate chain (it only returns it's own certificate**) so | |
insuffisant data is available for iOS to return a success code (hence the 0x5). | |
The easiest/fastest fix would be to update the server configuration as it | |
would: | |
- likely fix this issue (and confirm my suspicion); | |
- make the network access faster (by not having to issue another HTTP request | |
to get the intermediate certificate); and | |
- ensure that the trust can be confirmed even if the 3rd party server (where we | |
could download the certificate) is unavailable. | |
* sadly iOS does not support some API that would describe the issue, I'll try | |
to confirm this from OSX (which, hopefully, should behave identically). | |
** this is ok RFC-wise but it's not the default for most servers (mostly for | |
the above reasons) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment