NWNetwork bad certificate format

App & System Services Networking
FunkyMusic OP
Created Oct ’18
Replies 5
Boosts 0
Views 2.7k
Participants 2

Hi,


I'm triying to establish a TCP Connection via NWNetwork:

NWConnection(host: "push.myservices.de", port: 13219, using: .tls)


But all I get is the message:

Connection failed -9808: Optional(bad certificate format)


The certificate is availabel on the server as bundle.crt file.

TLSv1.1 and TLSv1.2 are supported and the ssl_ciphers looks lie this:

'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';


Any idea what is wrong? Without TLS the connections (over an other port) works fine.

Replies  5
Boosts  0
Views  2.7k
Participants  2
DTS Engineer OP
Apple
Oct ’18

I tried to connect to this server to see what it’s certificate looks like by my connection gets rejected (error 61 is 

ECONNREFUSED
). 
$ TLSTool s_client -connect push.myservices.de:13219
* error NSPOSIXErrorDomain / 61
* bytes sent 0, bytes received 0

Should I be able to connect to this from the public Internet?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
FunkyMusic OP
Oct ’18

I changed server URL, since this service isn't for the public. But the server is reachable.

I'll send an email to you with the real URL.

0
DTS Engineer OP
Apple
Oct ’18
Accepted Answer

I'll send an email to you with the real URL.

Thanks.

I’m not sure if this is the only problem but one specific problem is that the subject in the certificate doesn’t match the DNS name you’re trying to connect to. Specifically, the leaf certificate has a common name of 

*.xxx.de
and a Subject Alternative Name extension containing 
*.xxx.de
and 
xxx.de
. In contrast, you’re trying connect to 
yyy.xxx-services.de
.

Now, when I use TLSTool to connect to your server:

$ TLSTool s_client -connect yyy.xxx-services.de:13219
*  input stream did open
* output stream did open
2018-10-08 09:45:11.874 TLSTool[2616:308918] CFNetwork SSLHandshake failed (-9807)
* error NSOSStatusErrorDomain / -9807
* bytes sent 0, bytes received 0

it fails with -9807 (

errSSLXCertChainInvalid
), which is more along the lines of what I’d expect. It’s possible that there’s other issues in play here, or perhaps Network framework is just returning a different error in this case. Either way, you need to sort out your names first.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
FunkyMusic OP
Oct ’18

Thanks for the details, I'll inform the server developers about the issue. Let's see if they can find something. Last time I ask they quoted 'Everything is fine'

0
FunkyMusic OP
Oct ’18

Finally Server developers found the issue by help of your information, thank a lot.

0
NWNetwork bad certificate format
First post date Last post date
 
 
Q