SSL Detective Overview

SSL Detective allows you to easily see what certificates are being used to verify a server and encrypt the connection. This software can help you determine if there are trust issues and allows you to email the certificates for further research.

When an iOS device first connects to a server that is secured using SSL, the server provides its SSL certificate and, optionally, other certificates to verify the server’s identity (a certificate chain). If the first certificate in the chain (the root certificate) is not trusted by the device, the server’s certificate will not be trusted. If the chain is not trusted by iOS, services that depend on it (like Safari or Mail) will fail or prompt the user to accept an untrusted chain. In order to trust the root certificate, iOS devices ship with a root certificate store that contains the trusted root certificates. An administrator can install root certificates on an iOS device so that other certificate chains can be trusted as well, either by using configuration profiles or manually installing via email or a website.

One of the key security pieces of the Internet is Secure Socket Layer (SSL) which allows a device to securely connect to a server (such as your bank’s website), and trust that server belongs to the bank and no one can eavesdrop on the conversation. To accomplish this, SSL certificates are used by iPhone and iPad to verify that the server is the one identified by the certificate, trusted by a Certificate Authority. If there are any inconsistencies in determining this information, the connection may fail or the user may be given a warning.

Troubleshooting issues with certificates and certificate chains can be difficult on iOS. When using Safari on iOS to connect to a website secured with SSL that has a certificate-related issue, Safari will only show you part of the server’s certificate, not the entire certificate or the certificate chain. SSL Detective makes viewing the certificate and certificate chain much easier on iOS.

SSL Detective connects to an SSL enabled port and downloads the server’s certificate as well as any other certificates provided. It then verifies the certificate chain via iOS and the root certificate store, getting back the entire chain including the root certificate and any other certificates (intermediates) that are downloaded. This allows you to see a fully trusted certificate chain or where the SSL trust is failing on an iOS device.

SSL connections are not limited to only web servers. An SSL port can be used with Mail (IMAPS), VPN, directory service (LDAPS), and others. SSL Detective allows you to view the certificate chain for errors such as certificate expiration dates and hostname issues.

The following examples show a well-formed certificate chain, an untrusted root error, and no intermediate certificate error. All of these examples are live and can be used with SSL Detective so you can look at problems more closely.

Example 1: Well-Formed Certificate Chain (twocanoes.com:443)