Per APP VPN with IKEv2 and certificate stopped working suddenly

App & System Services Networking
drey OP
Created Mar ’20
Replies 1
Boosts 0
Views 1.1k
Participants 2

Hello,


we are facing a strange problem where our developed iOS VPN applications stopped working suddenly. It worked for years like a charm and since a few days it seems the client (multiple iOS devices) doesn't trust some certificates anymore. The server certificate are still valid for a few monts.


Server logs from a strongswan server indicate that the client stops the process of connecting at some point yet the server thinks that the client was able to connects successfully.


Are there known new issues with "Thawte" issued certificates?


Is our interpretation that the device doesn't trust the server certificate anymore correct?


We see the following things in the neagent process of the device:


Certificate Payload:
Encoding: X.509 Certificate Signature
Data: [2007 bytes: 0x30803041310B3009060355040613025553311530...]
Encoding: X.509 Certificate Signature
Data: [1206 bytes: 0x308204B233115...]


Authentication Payload:
Method: Certificate
Data: [512 bytes: 0x8D270575508...]


Configuration Payload:
Message Type: Reply
Configuration: (
        {
        Address = "172.20.0.3";
        Identifier = 1;
        Name = AssignedIPv4Address;
        Type = IPv4Address;
    },
        {
        Address = "10.3.10.56";
        Identifier = 3;
        Name = AssignedIPv4DNS;
        Type = IPv4Address;
    }
)


Security Association Payload:
IKE SPI: 0000000000000000
(
        {
        ChildProtocol = ESP;
        EncryptionAlgorithm =         (
            "AES-256"
        );
        IntegrityAlgorithm =         (
            "SHA2-256"
        );
        SPIValue = "-51567164";
    }
)


Initiator Traffic Selector Payload:
(
        {
        TSEndAddress = "172.20.0.3";
        TSEndPort = 65535;
        TSProtocol = 0;
        TSStartAddress = "172.20.0.3";
        TSStartPort = 0;
        TSType = IPv4;
    }
)


Responder Traffic Selector Payload:
(
        {
        TSEndAddress = "255.255.255.255";
        TSEndPort = 65535;
        TSProtocol = 0;
        TSStartAddress = "0.0.0.0";
        TSStartPort = 0;
        TSType = IPv4;
    }
)


Notify (MOBIKE Supported) Payload:
No Data


Notify (Additional IPv4 Address) Payload:
Address[1]: 10.3.2.86
Address[2]: 10.3.1.96
Address[3]: 10.3.10.186
informationen 13:07:12.853611 +0100 neagent 528E28F4E2FD6F0B Received fragment:
IKEv2 Packet
Initiator SPI: 528E28F4E2FD6F0B
Responder SPI: FF71422700EE38C9
Exchange Type: IKE Auth
Response: Yes
Initiator: No
Message ID: 1
Fragment: 4/4


Encrypted Fragment Payload:
[431 bytes: 0xC3B8AAE91B10721AD12F78DBFF55B9232506849DBAD768573FE53A138C6DC1B67385C4CF1727D8472A2404A05CE1B6081B8E93EC8AE4BB3C4ECE66BC68573B07...]
debug 13:07:12.853776 +0100 neagent Matching remote hostname vpn.DOMAIN.de with remote certificate
debug 13:07:12.855344 +0100 neagent Language lookup at <private>
Localizations : [German, he, ar, el, uk, es_419, pt_PT, Spanish, da, sk, zh_CN, Japanese, ms, Italian, sv, en_AU, cs, ko, no, hu, tr, pl, fr_CA, vi, ru, English, en_GB, fi, id, th, pt, ro, Dutch, zh_HK, hr, hi, French, ca, zh_TW]
Dev language  : English
User prefs    : [de-DE, en-GB]
Main bundle   : [<null>]
Allow mixed   : 1
Result        : [German]
debug 13:07:12.857085 +0100 neagent Resource lookup at <private>
Request       : Certificate type: strings
Result        : file:///System/Library/Frameworks/Security.framework/German.lproj/Certificate.strings
debug 13:07:12.857273 +0100 neagent Resource lookup at <private>
Request       : Certificate type: stringsdict
Result        : None
debug 13:07:12.858668 +0100 neagent found no value for key NSDoubleLocalizedStrings in CFPrefsSearchListSource<0x133d0d980> (Domain: com.apple.neagent, Container: (null))
debug 13:07:12.858946 +0100 neagent found no value for key NSForceRightToLeftLocalizedStrings in CFPrefsSearchListSource<0x133d0d980> (Domain: com.apple.neagent, Container: (null))
debug 13:07:12.859104 +0100 neagent found no value for key NSAccentuateLocalizedStrings in CFPrefsSearchListSource<0x133d0d980> (Domain: com.apple.neagent, Container: (null))
debug 13:07:12.859409 +0100 neagent found no value for key NSSurroundLocalizedStrings in CFPrefsSearchListSource<0x133d0d980> (Domain: com.apple.neagent, Container: (null))
debug 13:07:12.859569 +0100 neagent Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 13:07:12.860014 +0100 neagent Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 13:07:12.860240 +0100 neagent Bundle: <private>, key: Expires, value: Expires, table: Certificate, localizationName: (null), result: Läuft ab
debug 13:07:12.860352 +0100 neagent Bundle: <private>, key: This certificate is valid, value: This certificate is valid, table: Certificate, localizationName: (null), result: Dieses Zertifikat ist gültig.
debug 13:07:12.863106 +0100 neagent Certificate 0 Properties:
(
        {
        type = title;
        value = "vpn.DOMAIN.de";
    },
        {
        label = Expires;
        "localized label" = "L\U00e4uft ab";
        type = date;
        value = "2020-07-26 23:59:59 +0000";
    },
        {
        type = success;
        value = "Dieses Zertifikat ist g\U00fcltig.";
    }
)
debug 13:07:12.863455 +0100 neagent Bundle: <private>, key: Expires, value: Expires, table: Certificate, localizationName: (null), result: Läuft ab
debug 13:07:12.863957 +0100 neagent Bundle: <private>, key: This certificate is valid, value: This certificate is valid, table: Certificate, localizationName: (null), result: Dieses Zertifikat ist gültig.
debug 13:07:12.864191 +0100 neagent Certificate 1 Properties:
(
        {
        type = title;
        value = "thawte SSL CA - G2";
    },
        {
        label = Expires;
        "localized label" = "L\U00e4uft ab";
        type = date;
        value = "2023-10-30 23:59:59 +0000";
    },
        {
        type = success;
        value = "Dieses Zertifikat ist g\U00fcltig.";
    }
)
standard 13:07:12.889449 +0100 neagent Trust evaluate failure: [leaf GrayListedLeaf]
fehler 13:07:12.889546 +0100 neagent Certificate evaluation error = kSecTrustResultRecoverableTrustFailure
debug 13:07:12.889660 +0100 neagent Resource lookup at <private>
Request       : SecCertificate type: strings
Result        : None
debug 13:07:12.889858 +0100 neagent Resource lookup at <private>
Request       : SecCertificate type: stringsdict
Result        : None
debug 13:07:12.889967 +0100 neagent Hit last resort and creating empty strings table
debug 13:07:12.890258 +0100 neagent found no value for key NSShowNonLocalizedStrings in CFPrefsSearchListSource<0x133d0d980> (Domain: com.apple.neagent, Container: (null))
debug 13:07:12.890352 +0100 neagent Bundle: <private>, key: Policy requirements not met., value: Policy requirements not met., table: SecCertificate, localizationName: (null), result: Policy requirements not met.
debug 13:07:12.890439 +0100 neagent ---------------Returned error strings: ---------------
debug 13:07:12.890617 +0100 neagent type = error
debug 13:07:12.890774 +0100 neagent value = Policy requirements not met.
debug 13:07:12.891419 +0100 neagent -----------------------------------------------------
fehler 13:07:12.891740 +0100 neagent Certificate is not trusted
fehler 13:07:12.891840 +0100 neagent Certificate authentication data could not be verified
fehler 13:07:12.891992 +0100 neagent Failed to process IKE Auth packet (connect)
debug 13:07:12.892651 +0100 neagent Received PFKey Message associated with DB (type 4)
informationen 13:07:12.893685 +0100 neagent ikev2_callback: Received notification for ikeRef 33D18970 ChildRef 0
informationen 13:07:12.893797 +0100 neagent IKEv2 Plugin: received notif IKE (4096) Status (256) Disconnected (1)
informationen 13:07:12.893932 +0100 neagent ikev2_callback: set disconnected with 70027
informationen 13:07:12.894032 +0100 neagent Sending status update with status Disconnected and disconnect error UserAuthentication
debug 13:07:12.894123 +0100 neagent Deallocating ikeSA 9A8CB826-0358-4351-AF1B-2EC82612FA64
debug 13:07:12.894257 +0100 neagent ikev2_socket: Cancelling client 9A8CB826-0358-4351-AF1B-2EC82612FA64 for <ikev2_socket 0x133e132c0> 172.24.15.114:500 -> 10.3.30.86:500
debug 13:07:12.894534 +0100 neagent ikev2_socket: Removing client 9A8CB826-0358-4351-AF1B-2EC82612FA64 for <ikev2_socket 0x133e132c0> 172.24.15.114:500 -> 10.3.30.86:500
debug 13:07:12.906594 +0100 neagent deallocating <ikev2_socket 0x133e132c0> 172.24.15.114:500 -> 10.3.30.86:500
debug 13:07:12.906759 +0100 neagent ikev2_socket: Cancelling client 9A8CB826-0358-4351-AF1B-2EC82612FA64 for <ikev2_socket 0x133d1b980> 172.24.15.114:4500 -> 10.3.30.86:4500
debug 13:07:12.906927 +0100 neagent ikev2_socket: Removing client 9A8CB826-0358-4351-AF1B-2EC82612FA64 for <ikev2_socket 0x133d1b980> 172.24.15.114:4500 -> 10.3.30.86:4500
debug 13:07:12.907013 +0100 neagent deallocating <ikev2_socket 0x133d1b980> 172.24.15.114:4500 -> 10.3.30.86:4500
informationen 13:07:13.032567 +0100 neagent Calling Plugin_VPNTunnelDispose
debug 13:07:13.032762 +0100 neagent IKEv2 Plugin: Dispose Enter
informationen 13:07:13.033076 +0100 neagent IKEv2 Plugin: Dispose done
informationen 13:07:13.040089 +0100 neagent Dispose complete


in addition logs from the trustd process:


debug 12:57:40.436237 +0100 trustd XPC [nehelper[86]/1#17 LF=0] operation: trust_evaluate (8)
debug 12:57:40.436416 +0100 trustd network access disabled by policy
debug 12:57:40.445293 +0100 trustd non ev score: 1118 <SecCertificatePathVC certs: <cert(0x101021e00) s: ios.b8218bf7-1569-4a2a-be34-6f7221c41cbc i: COMPANYNAME>, <cert(0x101001a00) s: COMPANYNAME i: COMPANYNAME> >
debug 12:57:40.445382 +0100 trustd non ev score: 121 lower than 1118 <SecCertificatePathVC certs: <cert(0x101021e00) s: ios.b8218bf7-1569-4a2a-be34-6f7221c41cbc i: COMPANYNAME> >
debug 12:57:40.445437 +0100 trustd acquire ro connection
debug 12:57:40.445520 +0100 trustd bind_blob[1]: >\M-*\^H`H>\M^B\^C%\M-l\^D\M-025<…>: (null)
debug 12:57:40.445604 +0100 trustd release <SecDbConnection ro open>
debug 12:57:40.668483 +0100 trustd acquire ro connection
debug 12:57:40.668642 +0100 trustd bind_blob[1]: <…>: (null)
debug 12:57:40.668816 +0100 trustd release <SecDbConnection ro open>
standard 12:57:40.668973 +0100 trustd cert[1]: AnchorTrusted =(leaf)[force]> 0
debug 12:57:40.669113 +0100 trustd found no value for key TrustFailureEventAnalyticsRate in CFPrefsSearchListSource<0x100e21570> (Domain: com.apple.security, Container: (null))
debug 12:57:40.669263 +0100 trustd found no value for key TrustEvaluationEventAnalyticsRate in CFPrefsSearchListSource<0x100e21570> (Domain: com.apple.security, Container: (null))
debug 12:57:40.670041 +0100 trustd completed: <SecCertificatePathVC certs: <cert(0x101021e00) s: ios.b8218bf7-1569-4a2a-be34-6f7221c41cbc i: COMPANYNAME>, <cert(0x101001a00) s: COMPANYNAME i: COMPANYNAME> > details: (
        {
    },
        {
        AnchorTrusted = 0;
    }
) result: 5
debug 12:57:44.015263 +0100 trustd XPC [neagent[1241]/1#9 LF=0] operation: trust_evaluate (8)
debug 12:57:44.015649 +0100 trustd acquire ro connection
debug 12:57:44.016062 +0100 trustd bind_text[1]: "DOMAIN.de" error: (null)
debug 12:57:44.016525 +0100 trustd release <SecDbConnection ro open>
debug 12:57:44.016844 +0100 trustd Fetching rules for policy named ipsecServer
debug 12:57:44.017046 +0100 trustd acquire ro connection
debug 12:57:44.017335 +0100 trustd bind_text[1]: "ipsecServer" error: (null)
debug 12:57:44.021573 +0100 trustd release <SecDbConnection ro open>
debug 12:57:44.021755 +0100 trustd found no value for key PinningEventAnalyticsRate in CFPrefsSearchListSource<0x100e21570> (Domain: com.apple.security, Container: (null))
debug 12:57:44.021914 +0100 trustd complex trust settings anchor
debug 12:57:44.022077 +0100 trustd acquire ro connection
debug 12:57:44.022260 +0100 trustd release <SecDbConnection ro open>
standard 12:57:44.022429 +0100 trustd cert[0]: GrayListedLeaf =(leaf)[force]> 0
debug 12:57:44.022873 +0100 trustd acquire ro connection
debug 12:57:44.023733 +0100 trustd bind_blob[1]: \^]iE\M-e҆\M- D<…>: (null)
debug 12:57:44.023919 +0100 trustd release <SecDbConnection ro open>
standard 12:57:44.024092 +0100 trustd cert[0]: GrayListedLeaf =(leaf)[force]> 0
debug 12:57:44.024182 +0100 trustd acquire ro connection
debug 12:57:44.024304 +0100 trustd release <SecDbConnection ro open>
debug 12:57:44.024490 +0100 trustd acquire ro connection
debug 12:57:44.024681 +0100 trustd bind_blob[1]: \^V\M^Gֈm\M-b0<…>: (null)
debug 12:57:44.024839 +0100 trustd release <SecDbConnection ro open>
standard 12:57:44.024979 +0100 trustd cert[0]: GrayListedLeaf =(path)[force]> 0
debug 12:57:44.025697 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.025887 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.026057 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.026232 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.026406 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.026772 +0100 trustd non ev score: 11117 <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2>, <cert(0x101017600) s: thawte SSL CA - G2 i: thawte Primary Root CA>, <cert(0x105417070) s: thawte Primary Root CA i: thawte Primary Root CA> >
debug 12:57:44.032593 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.032767 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.032925 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033093 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033186 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033273 +0100 trustd non ev score: 11117 lower than 11117 <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2>, <cert(0x101017600) s: thawte SSL CA - G2 i: thawte Primary Root CA>, <cert(0x105417070) s: thawte Primary Root CA i: thawte Primary Root CA> >
debug 12:57:44.033444 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033604 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033762 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.033914 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.034012 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.034189 +0100 trustd non ev score: 11117 lower than 11117 <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2>, <cert(0x101017600) s: thawte SSL CA - G2 i: thawte Primary Root CA>, <cert(0x105417070) s: thawte Primary Root CA i: thawte Primary Root CA> >
debug 12:57:44.034392 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.034923 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.035087 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.035186 +0100 trustd non ev score: 122 lower than 11117 <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2>, <cert(0x101017600) s: thawte SSL CA - G2 i: thawte Primary Root CA> >
debug 12:57:44.035346 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.035493 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.035639 +0100 trustd non ev score: 121 lower than 11117 <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2> >
standard 12:57:44.035789 +0100 trustd cert[0]: GrayListedLeaf =(path)[force]> 0
standard 12:57:44.040865 +0100 trustd cert[0]: GrayListedLeaf =(path)[force]> 0
debug 12:57:44.041021 +0100 trustd found no value for key TrustFailureEventAnalyticsRate in CFPrefsSearchListSource<0x100e21570> (Domain: com.apple.security, Container: (null))
debug 12:57:44.041517 +0100 trustd found no value for key TrustEvaluationEventAnalyticsRate in CFPrefsSearchListSource<0x100e21570> (Domain: com.apple.security, Container: (null))
debug 12:57:44.045287 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.045736 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.046000 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.046310 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.185168 +0100 trustd Bundle: <private>, key: %@, %@, value: %@, %@, table: Certificate, localizationName: (null), result: %1$@, %2$@
debug 12:57:44.185516 +0100 trustd completed: <SecCertificatePathVC certs: <cert(0x10103a000) s: vpn.DOMAIN.de i: thawte SSL CA - G2>, <cert(0x101017600) s: thawte SSL CA - G2 i: thawte Primary Root CA>, <cert(0x105417070) s: thawte Primary Root CA i: thawte Primary Root CA> > details: (
        {
        GrayListedLeaf = 0;
    },
        {
    },
        {
    }
) result: 5
debug 12:57:46.327937 +0100 trustd XPC [APPNAME[1135]/1#5 LF=0] operation: trust_evaluate (8)
debug 12:57:46.328096 +0100 trustd network access disabled by policy


Many thanks for your support.

Replies  1
Boosts  0
Views  1.1k
Participants  2
Systems Engineer OP
Apple
Mar ’20

Yes, it looks like you are receiving a kSecTrustResultRecoverableTrustFailure because one of the certificates in your chain is no longer trusted. Start by taking a look at your anchor/root certificate, as that is what is called out here.


As a side note, when you receive a kSecTrustResultRecoverableTrustFailure, this is telling you that your chain cannot be trusted, but you could perform further evaluation on the chain to determine if you want your app to trust it.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
Per APP VPN with IKEv2 and certificate stopped working suddenly
First post date Last post date
 
 
Q