couchbase-lite-ios: Peer sync between High Sierra and iOS 11 CBLWarnUntrustedCert error

Using peer-to-peer sync, in High Sierra I’m getting the following errors:

10:02:32.818‖ DEALLOC CBLRemoteLogin[https://iPhone-8.local.:49219/db-edca70d0d6524c0fbc527270114445a6]
10:02:32.923‖ WARNING: CouchbaseLite: SSL server <iphone-8.local.> not trusted; cert chain follows: {at CBLWarnUntrustedCert:294}
10:02:32.923‖ WARNING:     Anonymous: error = CSSMERR_TP_NOT_TRUSTED {at CBLWarnUntrustedCert:306}
2017-09-27 10:02:32.925849-0600 Tap Forms 5[36217:2160053] Task <104BF60E-1A26-4EF2-BCCE-BB3910270EDA>.<1> HTTP load failed (error code: -999 [1:89])
2017-09-27 10:02:32.925875-0600 Tap Forms 5[36217:2160054] Task <104BF60E-1A26-4EF2-BCCE-BB3910270EDA>.<1> finished with error - code: -999
10:02:32.926‖ CBLRemoteJSONRequest[GET https://iPhone-8.local.:49219/db-edca70d0d6524c0fbc527270114445a6/_local/037a993f64ee86ee9146564094af06f08fd83d21]: Got error NSURLError[-999, "cancelled", <https://iphone-8.local.:49219/db-edca70d0d6524c0fbc527270114445a6/_local/037a993f64ee86ee9146564094af06f08fd83d21>]
10:02:32.926‖ Replication: CBLRestPuller[https://iPhone-8.local.:49219/db-edca70d0d6524c0fbc527270114445a6] took 0.108 sec; error=(null)

I do setup an anonymous SSL certificate when I create my CBLListener object:

BOOL success = [self.syncListener setAnonymousSSLIdentityWithLabel:@"peer-sync" error:&error];

Is there anything more I have to do than this to get encrypted syncing between peers?

It worked fine in macOS Sierra and iOS 10.

But what’s interesting is it works fine if I make a change on the Mac. That is, the iOS 11 device is able to successfully pull from the Mac. But if I make a change on the iOS 11 device, the Mac running High Sierra complains about the untrusted certificate.

Is there a way I can get the Mac to trust the certificate from the iOS device?

Version: 1.4.1
Client OS: macOS High Sierra and iOS 11
Server: n/a

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 23 (21 by maintainers)

Commits related to this issue

Fix CBLWarnUntrustedCert for .local on High Sierra * On High Sierra, the status codes returned are @[CSSMERR_APPLETP_HOSTNAME_MISMATCH and CSSMERR_TP_NOT_TRUSTED] instead of just @[CSSMERR_APPLETP_HO... — committed to couchbase/couchbase-lite-ios by pasin 7 years ago
Fix Untrusted SSL Cert for .local host issue found in iOS 11 * This issue was reproducible with P2P_HTTP_Tests. * Added ‘MissingIntermediate’ to an accepted problem if the host is considered local do... — committed to couchbase/couchbase-lite-ios by pasin 6 years ago

Most upvoted comments

@rahimrahman I had to make a small change to the acceptProblems method on CBLAuthorizer.m.

After this line:

// Accept a self-signed cert from a local host (".local" domain)
accept = (i == 0 && SecTrustGetCertificateCount(trust) == 1 && localDomain);

I added:

if (accept && localDomain) {
	return YES;
}

I had to do this again just today because I updated to the latest 1.4.2 codebase and I experienced the same problem again.

brendand on Aug 18, 2018

So looking at the code in acceptProblems (in CBLAuthorizer.m), I see this line:

accept = (i == 0 && SecTrustGetCertificateCount(trust) == 1 && localDomain);

That seems fine and in this case the call to SecTrustGetCertificateCount(trust) does return 1 and the domain is .local. and i == 0, so that returns YES.

But I think the second time it goes through the loop and resets accept = NO, then because the MissingIntermediate doesn’t get handled, the value of accept is NO at that time. So that’s why it’s failing.

What is the correct way to handle this problem?

As a test I just forced accept = YES and that worked. But it was just a test to see if I was on the right track.

brendand on Feb 7, 2018