[foaf-protocols] Safari on iphone 3.0 ssl bug ?

Story Henry henry.story at bblfish.net
Sat Jun 20 22:20:12 CEST 2009


On Wednesday I installed the iPhone 3.0 upgrade, and as a result was  
no longer able to get the client to send our self signed certificates  
to the iPhone. I am going to try to detail my findings here before  
posting a bug report to Apple, in order that we can work out as much  
as possible what the problem is, in order to make the work of the  
apple engineers easier. At the end of this, I will urge as many of us  
as are concerned to submit a bug report to Apple on this subject. It  
is a real pity that this otherwise really well integrated platform  
suffers from this bug. The iPhone demo I of foaf+ssl used which I  
described here, used to be extreemly helpful in making my case
   http://blogs.sun.com/bblfish/entry/one_click_global_sign_on


I have two certificates in my iPhone. One self signed certificate  
created using the manual procedure described http://blogs.sun.com/bblfish/entry/foaf_ssl_a_first_implementation
and one generated using the http://test.foaf-ssl.net/cert/ service.

Here are some of the experiences I tried:

1. If I click on the http://foaf.me/entry.php entry point then I the  
iPhone does not ask me to choose any certificate and does not send one  
either. As a result I get the error message page.
   I think this bug also existed on the iPhone 2.2.1 OS. Essentially  
the iPhone does not respond to Apache servers that are set up to ask  
for certificates optionally. The exact foaf.me setup is detailed here:
  http://foaf.me/Enabling_SSL_Client_Certificates_on_Apache.php
Being able to optionally ask for certificates is really important  
because it allows the server to return error messages, or even allow  
the client to authenticate using other means. If the client


2. If I try our test Cheese Lover's Club example at
   https://ophelia.g5n.co.uk:10443/cheese/
Then this time the iPhone does ask me to choose among my certificates.  
I can choose the certificate, but I don't get logged in. From my other  
experiences, I guess that this is due to the iPhone not in fact  
sending a certificate. I cannot tell for sure, as the data is  
encrypted. In order to help understand why the Cheese Lover's Club  
does ask me for my certificate - whereas the foaf.me entry point does  
not, it would be nice to know what the Apache setup of it is.


3. On the http://foaf.me/ page, the login button uses the https://foafssl.org/srv/idp 
  Identity Provider. This one I control the code for so I was able to  
test it locally using Wireshark set up in such a way that it can  
decrypt the SSL packets on the wire.
http://wiki.wireshark.org/SSL

I get the following pcap file containing the conversation between the  
client and the server.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iphone-tomcat.pcap
Type: application/octet-stream
Size: 11123 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090620/7816c602/attachment-0002.obj 
-------------- next part --------------



I am not sure how much of it will be encrypted. But what I do find is  
that the packet 13 with Protocol TLSv1 and Info Certificate, does not  
contain any certificates, as it should. In any case there seem to be  
no certificates anywhere sent from the client to the server.

So this must very clearly be a bug, as the iPhone asks for a  
certificate, but then does not send the selected one.

4. I also tried setting up Apache with clientAuth=need that then the  
iPhone does send back the certificates.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iphone-tomcat-require-full.pcap
Type: application/octet-stream
Size: 894929 bytes
Desc: not available
Url : http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20090620/7816c602/attachment-0003.obj 
-------------- next part --------------




Any other comments would be very welcome.

	Henry


Social Web Architect
Sun Microsystems		
Blog: http://blogs.sun.com/bblfish



More information about the foaf-protocols mailing list