SSL Detective allows you to easily see what certificates are being used to verify a server and encrypt the connection. SSL Detective can help you determine if there are trust issues and allows you to email the certificates for further research. When an iOS device first connects to a server that is secured using SSL, the server provides the server’s SSL certificate and optionally some other certificates to verify the server’s identity (called a certificate chain). If the first certificate in the chain (called the root certificate) is not trusted by the device, the server’s certificate will not be trusted. If the chain is not trusted by iOS, services that depend on it (like Safari or Mail) will fail or prompt the user to accept an untrusted chain. In order to trust the root certificate, iOS devices ship with aroot certificate storethat contains the trusted root certificates. An administrator can install root certificates on an iOS device so that other certificate chains can be trusted as well using configuration profiles or manually installing via email or a website.
One of the key security pieces of the internet is Secure Socket Layer (SSL) which allows a device to securely connect to a server (such as your bank’s website), and trust that server belongs to the bank and no one can eavesdrop on the conversation. To accomplish this, SSL certificates are used by iPhone and iPad to verify that the server is the one identified by the certificate and that they are trusted by a Certificate Authority. If there are any inconsistencies in determining this information, the connection may fail, or the user may be given a warning.
Troubleshooting issues with certificates and certificate chains can be difficult on iOS. When using Mobile Safari to connect to a website secured with SSL that has a certificate related issue, Mobile Safari will only show you part of the server’s certificate, but not the entire certificate nor the certificate chain. SSL Detective makes viewing the certificate and certificate chain much easier on iOS.
SSL Detective connects to a SSL enabled port and downloads the server’s certificate, as well as any other certificates provided. It then verifies the certificate chain via iOS and the root certificate store, and gets back the entire chain, including the root certificate and any other certificates (called intermediates) that are downloaded. This allows you to see a fully trusted certificate chain or where the SSL trust is failing on an iOS device.
SSL connections are not limited to only web servers. A SSL port can be used with mail (IMAPS), VPN, directory service (LDAPS), and others. SSL Detective allows you to view the certificate chain for errors such as certificate expiration dates and hostname issues.
The following examples show a well formed certificate chain, an untrusted root error and no intermediate certificate error. All of these examples are live and can be used with SSL Detective so you can look at the problems more closely.
Example 1: Well formed certificate chain (twocanoes.com:443)
In the first example, connect to twocanoes.com port 443, and view the certificate chain. Note that the top of the certificate chain says Certificate Chain Trusted and this is in green to visually let you know that everything in the chain is correct. The twocanoes.com server on port 443 is set up to return the intermediate certificate (1) and the server certificate (2). The server’s certificate is trusted because the Certificate Authority is trusted by iOS by default. If you wanted to email the certificates on another device, or import a root certificate into a certificate store, touch Email Certificates (3) to email yourself a copy of the certificate chain.
Example 2: Untrusted Root (twocanoes.com:444)
In this example, the root certificate is not in the certificate store, and is expired. Note that the top of the certificate chain says Certificate Chain Not Trusted and this is in red to visually let you know that everything in the chain is not correct. This results in a certificate chain that is not trusted.
Example 3: No Intermediate Certificate (twocanoes.com:446)
In this example, the server does not return an intermediate certificate that is required, and the intermediate cannot be downloaded. This causes the chain to fail (1), even though the root certificate is in the trusted root certificate store. The intermediate certificate authorities certificate should have been downloaded from the URI in (2), but access to that URL was blocked by the network. This could be resolved by allowing this connection or by having the server provide both the intermediate certificate and the server certificate.