This may come handy testing ios > Remote server over SSL.
SSL connection from ios device to a remote server will fail, if the remote server's certificate's algorithm is DSA. I found this during testing and I don't know if Apple has this documented.
My remote server was a Java server, and used JKS as the keystore format. The Java Keytool by defaults creates DSA type certificates.
To test that having the RSA certificate will get me past the issue. I created a new self signed certificate with JDK keytool with RSA type certificate. Than I converted the certificate to PEM format and ran openssl server with the PEM certificate. I then connected to the openssl server from the safari browser on the ios device and the connection was successful.
You may ask why didn't I directly create the certificate with openssl in the PEM format, well I used keytool to show a collegue how to convert JKS to PEM.
SSL connection from ios device to a remote server will fail, if the remote server's certificate's algorithm is DSA. I found this during testing and I don't know if Apple has this documented.
My remote server was a Java server, and used JKS as the keystore format. The Java Keytool by defaults creates DSA type certificates.
To test that having the RSA certificate will get me past the issue. I created a new self signed certificate with JDK keytool with RSA type certificate. Than I converted the certificate to PEM format and ran openssl server with the PEM certificate. I then connected to the openssl server from the safari browser on the ios device and the connection was successful.
You may ask why didn't I directly create the certificate with openssl in the PEM format, well I used keytool to show a collegue how to convert JKS to PEM.
- Create a self signed certificate
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048 - Export JKS to PKCS12
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12 - Convert PKCS12 to PEM
openssl pkcs12 -in keystore.p12 -out keystore.pem - Launch a test server with openssl command
openssl s_server -cert keystore.pem -www - Connect to the server from a browser on iOS or from a remote device
openssl s_client -connect host:4433
No comments:
Post a Comment