I am trying to create a DNS over HTTPS and DNS over TLS server that requires authentication with a client certificate and configure it in the Device Management Profile for use from the iPhone.
I have set the PayloadCertificateUUID in DNSSettings, but it appears that the client certificate is not being used.
Is there anything I should check in advance when using a p12 file with PayloadCertificateUUID?
Configuration Profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>295E68E5-39F0-46D1-94E4-4A49EC8392E2</string>
<key>PayloadIdentifier</key>
<string>com.example.dns</string>
<key>PayloadDisplayName</key>
<string>My DNS</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>4CCEE94D-7B72-46AB-87AD-5A368F937339</string>
<key>PayloadIdentifier</key>
<string>com.example.dns.names</string>
<key>PayloadDisplayName</key>
<string>My DNS</string>
<key>PayloadDescription</key>
<string>DNS Settings</string>
<key>PayloadCertificateUUID</key>
<string>07A96080-5FAE-4026-937D-F578530E1444</string>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>TLS</string>
<key>ServerName</key>
<string><!-- my DoT server name --></string>
</dict>
<key>ProhibitDisablement</key>
<false/>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>260CC26A-2DD1-4B16-B8C0-AF1E655576AD</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.intermediate-ca</string>
<key>PayloadDisplayName</key>
<string>Intermediate CA</string>
<key>PayloadDescription</key>
<string>Intermediate CA</string>
<key>PayloadCertificateFileName</key>
<string>ca-chain.cert.cer</string>
<key>PayloadContent</key>
<data><!-- contents of Intermediate CA certificate --></data>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>E5DB74AA-3C5F-470B-AAE0-DF072095A2EC</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.root-ca</string>
<key>PayloadDisplayName</key>
<string>Root CA</string>
<key>PayloadDescription</key>
<string>Root CA</string>
<key>PayloadCertificateFileName</key>
<string>ca.cert.cer</string>
<key>PayloadContent</key>
<data><!-- contents of Root CA certificate --></data>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>07A96080-5FAE-4026-937D-F578530E1444</string>
<key>PayloadIdentifier</key>
<string>com.example.certs.client.iseebi</string>
<key>PayloadDisplayName</key>
<string>Client Certificate</string>
<key>PayloadDescription</key>
<string>Client Certificate</string>
<key>Password</key>
<string><!-- password of p12 --></string>
<key>PayloadCertificateFileName</key>
<string>Key.p12</string>
<key>PayloadContent</key>
<data><!-- contents of p12 --></data>
</dict>
</array>
</dict>
</plist>
iPhone console log
Connection 3742: enabling TLS
Connection 3742: starting, TC(0x0)
Connection 3742: asked to evaluate TLS Trust
Connection 3742: TLS Trust result 0
Connection 3742: asked for TLS Client Certificates
Connection 3742: issuing challenge for client certificates, DNs(1)
Connection 3742: asked for TLS Client Certificates
Connection 3742: received response for client certificates (-1 elements)
Connection 3742: providing TLS Client Identity (-1 elements)
Connection 3742: providing TLS Client Identity (-1 elements)
Connection 3742: connected successfully
Connection 3742: TLS handshake complete
Connection 3742: ready C(N) E(N)
Connection 3742: received viability advisory(Y)
Connection 3742: read-side closed
Connection 3742: read-side closed
Connection 3742: read-side closed
Connection 3742: cleaning up
Connection 3742: done
server log (stunnel)
LOG5[9]: Service [dns] accepted connection from <IP>
LOG6[9]: Peer certificate required
LOG7[9]: TLS state (accept): before SSL initialization
LOG7[9]: TLS state (accept): before SSL initialization
LOG7[9]: Initializing application specific data for session authenticated
LOG7[9]: SNI: no virtual services defined
LOG7[9]: OCSP stapling: Server callback called
LOG7[9]: OCSP: Validate the OCSP response
LOG6[9]: OCSP: Status: good
LOG6[9]: OCSP: This update: 2024.12.06 08:32:00
LOG6[9]: OCSP: Next update: 2024.12.13 08:31:58
LOG5[9]: OCSP: Certificate accepted
LOG7[9]: OCSP: Use the cached OCSP response
LOG7[9]: OCSP stapling: OCSP response sent back
LOG7[9]: TLS state (accept): SSLv3/TLS read client hello
LOG7[9]: TLS state (accept): SSLv3/TLS write server hello
LOG7[9]: TLS state (accept): SSLv3/TLS write change cipher spec
LOG7[9]: TLS state (accept): TLSv1.3 write encrypted extensions
LOG7[9]: TLS state (accept): SSLv3/TLS write certificate request
LOG7[9]: TLS state (accept): SSLv3/TLS write certificate
LOG7[9]: TLS state (accept): TLSv1.3 write server certificate verify
LOG7[9]: TLS state (accept): SSLv3/TLS write finished
LOG7[9]: TLS state (accept): TLSv1.3 early data
LOG7[9]: TLS state (accept): TLSv1.3 early data
LOG7[9]: TLS alert (write): fatal: unknown
LOG3[9]: SSL_accept: ssl/statem/statem_srvr.c:3510: error:0A0000C7:SSL routines::peer did not return a certificate
LOG5[9]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
LOG7[9]: Deallocating application specific data for session connect address
LOG7[9]: Local descriptor (FD=10) closed
LOG7[9]: Service [dns] finished (0 left)