URLAuthenticationChallenge.protectionSpace.distinguishedNames = nil

I am using TLS 1.2 mutual authentication with Apache www server and self-signed CA. The authentication works fine, except iOS and MacOS ignore the "Acceptable client certificate CA names" returned by the server in the CertificateRequest. On my iOS app, I see empty distinguishedNames field on the AuthenticationChallenge, and on MacOS Safari I am given a choice of all installed user certificates.

Detailed logging on Apache shows it is writing the CertificateRequest. Logging is raw so I can't see what all the encoded parameters are, but see the right ASCII for subject, etc. Are some special certificate attributes needed? I have: X509v3 Basic Constraints:  CA:TRUE

Up vote post of timsm Down vote post of timsm
818 views
Posted by
timsm
Reply
Add a Comment

Replies

This question was wrong. distinguishedNames is only nil for the first challenge, but the second challenge contains the DER encoded CA names as expected. I still need to investigate why Safari seemed to ignore, but at least the list is being delivered.

Posted by
timsm
Up vote reply of timsm Down vote reply of timsm
Add a Comment

This question was wrong. distinguishedNames is only nil for the first challenge

What authentication methods (from the authenticationMethod property) do these two challenges use?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The nil distinguishedNames was for the NSURLAuthenticationMethodServerTrust method, as expected. The one thing I have discovered as I get old, is I do not see things that are right before my eyes! Also, I was sort of expecting it not to be there because Safari on MacOS had offered me option to choose a client certificate with wrong issuer. However, that may have been due to other problems.

Posted by
timsm
Up vote reply of timsm Down vote reply of timsm
Add a Comment

The nil distinguishedNames was for the NSURLAuthenticationMethodServerTrust method, as expected.

Right. Your original post made it seems like you were surprised by this.

So, for those reading along at home, the distinguishedNames property is only relevant for the client identity authentication challenge, that is, where the authentication method is NSURLAuthenticationMethodClientCertificate.

Safari on macOS had offered me option to choose a client certificate with wrong issuer.

Hmmm, that seems like a Safari problem to me. Some thoughts on that subject:

  • If you have questions about Safari, you can start a new thread here on DevForums with the relevant tags.

  • Alternatively, a lot of Safari folks hang out on the webkit.org site.

  • Speaking of webkit.org, a lot of the guts of Safari can be found in that project. I don’t know whether that includes the code that handles distinguishedNames, but it’s worth checking.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment