iOS 13.1 'Cannot verify server identity'

Solved this today. Took me several hours on a Sunday evening. Like I had nothing better to do, thank you Apple for that. I wish you would let people connect to their LAN however they want but no, SSL it must be (with all professional-level requirements that is).

My issue: because of new TLS certificate requirements in IOS 13 (https://support.apple.com/en-us/HT210176), my old self-signed certificate was no longer compliant (more than 825 days, no EKU, no SAN).

So, no way around this but to hit the command prompt with openssl.

Turns out you need quite some research to make sure you can enter the EKU and SAN properly.

Here the procedure for those in the #selfhosted community which may be pulling their hairs at the moment:

• Create an openssl config file - See in "Additional text" the contents of mine (do change values where applicable)

• Generate a new certificate:

sudo openssl req -config server-selfsigned-CA.cnf -new -x509 -out server-selfsigned-CA.crt

• Check the certificate results via

openssl x509 -in server-selfsigned-CA.crt -text -noout

• Import the new self-signed certificate into IOS via (e.g.) download on self-hosted page
  • copy the server-selfsigned-CA.crt file into your http server and rename the extention as .cer
  • create an html file in your web server pointing to the server-selfsigned-CA.cer file
  • point your iOS devices to your server (using http, not https) and newly created html file, then download the CER file and click on Install
  • then go to iOS settings / general / profiles and install the newly downloaded profile
  • then go to settings / general / about / scroll down to "certificate trust settings" and enable your newly certificate

• replace the new certificates in your apache config file

use the crt file for SSLCertificateFile

use the .key file for SSLCertificateKeyFile

(think about creating a "dhparam" file and making it available on the same file, e.g. SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem")

• restart apache
• test your connection

Problem solved. I was using a version of OWASP ZAP proxy that was not the latest. It was not properly handling the SSL communication between my iOS 13.x devices and my self-signed root CA which was created with openssl per Apple's requirements listed in https://support.apple.com/en-us/HT210176. I upgraded ZAP to the 10/21/2019 release and that fixed all issues.

iOS 13 is more strict about certificates then both Windows 10 and earlier versions of iOS. Certs that work on Win10 and the earlier iOS versions won't necessarily work on iOS 13. See the link posted earlier in this thread: https://support.apple.com/en-us/HT210176

Ran into a similar problem. iOS 13 seems to be enforcing that certificates be valid and trusted, whereas previous versions didn't. I had to change the self-signed certificate on my IMAP server (which had worked for years on all iOS versions) over to a valid certificate from a real CA. Chances are there's something wrong with your cert, and older versions just didn't care.

I never had my self-signed CA cert imported into the phone before (as is done in the support article you linked). It simply wasn't necessary in the past. Either iOS auto-OK'ed certs from mail servers when you added an account, or there was a prompt to permanently OK a cert - I don't actually remember which. So it could be that your imported CA cert was never doing anything all this time anyway, and instead, it worked for other reasons.

Now I'm using a letsencrypt.org cert that requires renewal every 90 days, but the renewal is fully automated via certbot. Works fine.

Hi,

Been really getting crazy on this one for a week now.

Really, I have better things to do than troubleshooting because you can not let people use their local servers in peace, seriously?

First there was the thing about mandating SSL, then this stupid certificate issue.

All my other machines are connecting fine but both iPhone and iOS stopped working after update to iOS 13 and started giving this certificate issue. I wonder if IPv6 has anything to do but target server has no ipv6 enabled. I am using a self signed certificate but it is loaded and trusted.

Can you please Apple deliver a solution for this now?!

thanks

I followed the instructions and was able to get all my http/https traffic to traverse out my proxy using the root CA created per the instructions. HOWEVER, there is one major exception. iOS devices (tablets and iphones) running 13.x will not work. However, iOS devices running 10.3.3 will work. Not sure about any versions between 10.3.3 and 13.x. All my Windows 10 boxes were also able to use the root CA without issue - so there remains a detail left out in order to work with iOS 13.x.

I understand there are new additional restrictions, but I don’t see anything preventing the use of a self-signed CA – yet even when I create a self-signed CA with the additional requirements, https traffic still fails.  It makes me wonder if Apple made additional changes, that are not so public.

I continually get the message "Cannot Verify Server Identity" when sending email and texts. Please help!! Why is this happening all of a sudden all my setting are the same from previous version of iOS.

I am continually getting the following messages: Cannot Verify Server Identity The identity of "smtp-server.cinci.rr.com" cannot be verified

Cannot connect to the outgoing mail server for "smtp-server.cinci.rr.com"

They come up every time I try to do anything on my iphone 8 plus, for the past several days. Now what?

Most likely whoever runs the email server will have to fix the problem, but it's also possible there's a different hostname other than "smtp-server.cinci.rr.com" you're supposed to be using to connect to the server. When I connect to the SMTP port at that address, it returns an SSL certificate that doesn't match up with the hostname.