Introduction

With the release of iOS 13, Apple introduced several new security features aimed at enhancing the security framework of its devices. One significant change involved the stricter enforcement of TLS (Transport Layer Security) certificates. This update led to many developers encountering connection errors in their applications, which were unexpected if the developers were unaware of the newly imposed requirements.

Technical Overview

TLS is a protocol that ensures privacy and data security between communicating applications and users over the internet. It encrypts the data sent over networks to prevent unauthorized access. However, for TLS to function securely and effectively, the certificates involved must meet particular standards. iOS 13 introduced stricter requirements for these certificates to strengthen security.

Certificate Requirements in iOS 13

1. Validity Period:
   • iOS 13 enforces a maximum validity period of 825 days for certificates. Certificates issued after this period will be rejected.
   • Prior to this change, it was a common practice for certificates to have a validity period of up to 3 to 5 years.
2. Key Usage Extension:
   • TLS server certificates must include the Key Usage Extension.
   • It should specify the use of the "Key Encipherment" or "Digital Signature" purposes.
3. Extended Key Usage (EKU) Extension:
   • It must include the "Server Authentication" object identifier (OID).
4. Algorithm Requirements:
   • Certificates must use a hashing algorithm of SHA-256 or stronger.
   • The RSA key size should be at least 2048 bits or be based on an elliptic curve.

Connection Errors in iOS 13

After the release, applications relying on TLS certificates that did not adhere to these criteria began experiencing connection errors. Specifically, users would see a failure to establish a secure connection between the client and server. Typical error messages included terms like “untrusted server certificate,” highlighting the certificate's failure to meet the new security standards.

Common Issues and Solutions

Issue 1: Invalid Certificate Validity

Symptom: The connection fails with an "invalid certificate" error.

Solution: Ensure that all server-side certificates have a validity of no more than 825 days and replace any certificates exceeding this duration.

Issue 2: Missing Key Usage Extension

Symptom: Application fails with a "certificate not permitted for this use" error.

Solution: Reissue the certificate to include the Key Usage Extension, allowing for Key Encipherment or Digital Signature.

Issue 3: Missing Extended Key Usage

Symptom: Errors indicating that the certificate is not trusted for server authentication.

Solution: Include the "Server Authentication" OID in the Extended Key Usage section of the certificate.

Issue 4: Weak `Hash` or Key

Symptom: Security warnings related to weak encryption methods.

Solution: Migrate to SHA-256 or stronger algorithms and ensure RSA keys are at least 2048 bits.

Example Scenario

Consider a deployed app that communicates with a custom backend server over HTTPS. The server's TLS certificate was issued three years ago with a validity of five years. With iOS 13:

• The connection suddenly fails as the certificate exceeds the 825-day validity requirement.
• Administrators reissue and install a new certificate on the server with a validity of 825 days.
• They ensure it utilizes SHA-256 with a 2048-bit RSA key and includes the necessary extensions.

The updated setup resolves the connection error, restoring the app’s functionality on devices running iOS 13.

Summary Table

Conclusion

The changes in iOS 13 regarding TLS certificates signify Apple's emphasis on improved security. While the transition caused initial disruptions, compliance with the stricter certificate protocols ultimately results in more secure interactions. Developers and system administrators must therefore preemptively adapt to these changes to maintain seamless operation across Apple's ecosystem.

By re-evaluating, updating, and auditing digital certificates regularly, organizations can not only resolve existing connection issues but also future-proof their digital security strategy.