•   over 11 years ago

Hosted Server not prompting for certificate

Does the hosted server cache anything about a particular HTTPS request? My iPhone app is being prompted for its certificate the first time I make a particular request (say, GET for ID info), but on subsequent requests it no longer prompts for the certificate. As far as I can tell on the iPhone end, there is no caching going on so I am wondering if there is something happening on the servers end? (Like associating an IP and request with a cert so it will only prompt once?).




  •   •   over 11 years ago

    I also notice this same behaviour in a browser. It will prompt me for a certificate on the first request, but not until I close and re-open the browser will it ask me for one again.

  •   •   over 11 years ago

    I can't say for sure, not having much experience on iOS, but I think it might indeed be caching. Does the prompting reappear each time you relaunch the app? The browser will be doing something similar, until, as you say, you re-open it.

    Associating the IP with the cert is unlikely, since IPs are nowhere near a good indicator of identity.

    Are you able to send the certificate directly in the request? This is what I do with .NET (to avoid having to deal with any callbacks regarding which certificate to use).

    If you're savvy and have access to a network monitor (Wireshark, or Fiddler if it is ported to OSX), you can watch the play-by-play between your iPhone (okay, the emulator) and the Hosted server, and verify the traffic; my guess is that on each request, the server is asking for the cert, but the iPhone is no longer bothering you with the question, since it has an answer from before.

  •   •   over 11 years ago

    Ok, so I did some quick monitoring of the traffic. Wasn't sure what key to use to decrypt the traffic, but there is a significant difference between the traffic when I can see my app bring prompted for the certificate and when I can't. This strengthens my suspicions that there is something going on server side.

    Also note, that when I delay between requests, sometimes I do receive a challenge again. I have checked all the caches/tmp directories on my iPhone and have not found anything there to support the idea that the iPhone is the problem here.

  •   •   over 11 years ago

    To clarify, I only see the Client Hello and Server Hello when my app receives the authentication challenge.

  •   •   over 11 years ago

    I'm having a bit of a similar problem. I'm trying to incorporate the MintChip CA Certificates posted here (http://developer.mintchipchallenge.com/downloads.php) into my app, so that it can trust the remote servers properly. However, it seems that the remote.mintchipchallenge.com certificates are not signed using any of these CA certificates. Furthermore, when I try to import these CA certs into Firefox, it says that they aren't CA certificates at all, and are in fact, server certificates, and they differ from the one that remote.mintchipchallenge.com is using.

    I really don't want to resort to trusting all SSL connections here.

  •   •   over 11 years ago

    Well, for now, I just downloaded the certificate myself and added it to my certificate store. Just wondering, what are those CA certificates for then?

  •   •   over 11 years ago

    Right, I have the certificates that were e-mailed to me, and I'm using those to connect to remote.mintchipchallenge.com.

    The issue is that remote.mintchipchallenge.com's server-side SSL certificate is not signed by a Trusted CA Authority. On a desktop PC web browser, this requires the user to accept a security exception. In a mobile app, we need to do the same.

    You can either ignore the exception (insecure), keep a copy of the server's public cert (works, but ceases to work if the server's cert changes or expires), or add the actual CA authority so that all current and future certs are trusted and accepted.

    I was under the impression that you were signing the certs using the CA certs you posted on the site. Clearly you're not. Guidance on this would be helpful.

  •   •   over 11 years ago

    My suggestion (and since it doesn't affect me, feel free to tell me to hush), would be to follow that second choice -- keep a copy of the server's cert -- and not worry about the cert changing or expiring for the next month.

    Once MintChip becomes a public service, and your app is used by millions, it should be safe to assume that the signing authority on the certs will be sorted out, and one quick change to your code will get it safely working.

  •   •   over 11 years ago

    Well, that's what I've done for now. Anyway, just managed to get everything working, but that's definitely a day's worth of effort to figure out. :-)

  •   •   over 11 years ago

    Back to my original question. Do any MintChip officials know if there is a timeout for any request from a given IP address? It seems when I perform the same request twice in a row within a period of about 10-15 seconds, it appears there is no exchange of client certs (not being requested by server) from monitoring the traffic.

  •   •   over 11 years ago

    Ok, so the problem is iPhone related. NSURLConnection automatically appends the "Connection":"keep-alive" header to a request. I believe the timeout period I am seeing is indeed from the server, but the problem itself is inherent to NSURLConnection since this header cannot be overridden.

Comments are closed.