{"id":34,"date":"2020-02-17T17:57:33","date_gmt":"2020-02-17T17:57:33","guid":{"rendered":"https:\/\/ted.mielczarek.org\/blog\/?p=34"},"modified":"2020-02-17T17:57:33","modified_gmt":"2020-02-17T17:57:33","slug":"tls-certificates-on-macos-10-15-catalina-and-ios-13","status":"publish","type":"post","link":"https:\/\/ted.mielczarek.org\/blog\/2020\/02\/17\/tls-certificates-on-macos-10-15-catalina-and-ios-13\/","title":{"rendered":"TLS Certificates on macOS 10.15 Catalina and iOS 13"},"content":{"rendered":"\n

My first week at my current job I ran into a puzzling issue. We have a script that sets up a local development environment and as part of standing up local instances of all of our services it creates self-signed TLS<\/abbr> certificates so you can connect to your local instances via TLS just like you would in production. We use hostnames under the .test<\/code> TLD<\/abbr> which is explicitly reserved<\/a> by the IETF<\/abbr> for testing use. These certificates all worked fine when accessing the services via Chrome but when I attempted to use some code that used Apple’s native Security.framework<\/code> for certificate verification it failed. Sure enough accessing the services in Safari failed the same way. <\/p>\n\n\n\n

\"[broken<\/figure>\n\n\n\n

Some brief research quickly turned up this Apple support page<\/a> describing some new requirements for TLS server certificates in macOS 10.15 and iOS 13. It calls out a minimum RSA key size (2048 bits), hash algorithm requirements (SHA-1 is deprecated), and making the Subject Alternative Name extension a requirement (the CommonName<\/code> field is no longer trusted). It also has two additional<\/em> requirements for certificates issued after July 1, 2019: the ExtendedKeyUsage<\/code> extension must be present and contain the id-kp-serverAuth<\/code> OID, and also the validity period of the certificate must be 825 days or fewer. The script we were using to create certificates called openssl<\/code> and looked like:<\/p>\n\n\n\n

openssl req \\\n  -new \\\n  -newkey rsa:2048 \\\n  -sha512 \\\n  -days 3650 \\\n  -nodes \\\n  -x509 \\\n  -keyout service.ssl.key \\\n  -out service.ssl.crt \\\n  -config service.test.ssl.cnf<\/code><\/pre>\n\n\n\n
The .cnf file is a template that looked like:<\/p>\n\n\n\n
  [req]\n  distinguished_name = req_distinguished_name\n  x509_extensions = v3_req\n  prompt = no\n  [req_distinguished_name]\n  CN = *.service.test\n  [v3_req]\n  keyUsage = keyEncipherment, dataEncipherment, cRLSign, keyCertSign\n  extendedKeyUsage = serverAuth\n  subjectAltName = @alt_names\n  subjectKeyIdentifier = hash\n  authorityKeyIdentifier = keyid:always,issuer:always\n  basicConstraints = CA:true\n  [alt_names]\n  DNS.1 = *.service.test\n  DNS.2 = service.test<\/code><\/pre>\n\n\n\n
Right away I knew that that -days 3650<\/code> option was a problem. Since I had run this script after July 1, 2019 macOS was not going to accept a 10 year validity period for these certificates! Aside from that it looked like we had our ducks in a row which was promising. I tried lowering that value and regenerating the certificates but Safari still wouldn’t accept them! (Incidentally if you know how to get Safari to provide more details on why it does not trust a TLS certificate please let me know! It’s a pretty infuriating process.)<\/p>\n\n\n\n
Our environment setup scripts did attempt to ensure that the certificates were trusted—they ran the command security verify-cert -L -c service.ssl.crt<\/code> to ask Security.framework<\/code> whether the certificate was trusted. Indeed, running this command manually showed that it printed \u2026certificate verification successful.<\/code> One of my colleagues suggested that we should perhaps switch to using mkcert<\/a> which aimed to encapsulate all this complexity. I installed it and gave it a go, generating a server certificate with the same set of DNS names. mkcert<\/code> creates a separate CA certificate and then uses that to sign the server certificates it generates (which is generally more sensible than the all-in-one approach we had been using). When I tried accessing my local service in Safari it still gave me the same error!<\/p>\n\n\n\n
I was beginning to think that I would never get things working until I stumbled upon this closed issue<\/a> on the mkcert GitHub repository. It turns out that in addition to the other requirements macOS will also refuse to honor a wildcard hostname match for certs with a .test<\/code> TLD. I hadn’t considered this at all but the certificate was being generated with subject alt names for *.service.test<\/code> and service.test<\/code> but I was accessing it at www.service.test<\/code>. I tried generating the certificate again but this time added www.service.test<\/code> as a subject alt name alongside the other two. Sure enough, now it worked! The change to mkcert turns out to be unnecessary, explicitly adding the subdomains we use to the certificates is enough to make them work. I am working on changing things to use mkcert anyway to hopefully wrap some of the complexity here in the future.<\/p>\n\n\n\n
Addendum<\/h2>\n\n\n\n
After the fact I realized one key mistake—we were not in fact using security verify-cert<\/code> properly! Looking at the security<\/code> man page showed me that instead of a path to a certificate file you can provide it an https URL and it will fetch the certificate by starting a TLS connection and attempt to validate it. Running the command that way against a wildcard certificate does indeed fail validation:<\/p>\n\n\n\n
$ security verify-cert -L https:\/\/www.service.test:4443\nCert Verify Result: Host name mismatch<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
My first week at my current job I ran into a puzzling issue. We have a script that sets up a local development environment and as part of standing up local instances of all of our services it creates self-signed TLS certificates so you can connect to your local instances via TLS just like you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[7,5,6],"class_list":["post-34","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-macos","tag-ssl","tag-tls"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/posts\/34","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/comments?post=34"}],"version-history":[{"count":1,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/posts\/34\/revisions"}],"predecessor-version":[{"id":36,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/posts\/34\/revisions\/36"}],"wp:attachment":[{"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/media?parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/categories?post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ted.mielczarek.org\/blog\/wp-json\/wp\/v2\/tags?post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}