Open camelpunch opened 8 years ago
jsembdner
commented
5 years ago I guess I am running into this problem. In my app I want to use a .P12 certificate that trusts a self-signed CA to connect to a RabbitMQ service.
The following error is what I get:
Error Domain=kCFStreamErrorDomainSSL Code=-9831
Which translates to:
errSSLPeerUnknownCA = -9831, /* unknown Cert Authority */
Are there any pointers to how to enable the library to handle this case?
michaelklishin
commented
5 years ago That is possible already.
This issue is about supporting certificate chains. RMQTLSOptions needs to parse certificate chains, peer verification mechanism should implements its traversal (or enable it in case there's a Foundation library that can do it) per RFC 5280, 6818
michaelklishin
commented
5 years ago CONTRIBUTING.md describes how to run TLS integration tests. CertificateFixtures demonstrates how example client certificate is loaded by the test suite.
michaelklishin
commented
5 years ago I cannot comment on a single error message and our team does not use GitHub issues for investigations (that's what the RabbitMQ mailing list is for). However, it looks like it is the client complains about an unknown certificate authority, in which case you must make the server CA certificate trusted on the device.
RabbitMQ has a TLS troubleshooting guide, Apple documentation has a note on self-signed CAs and how to make them trusted on a given device.
This client currently supports leaf client certificate/key pairs but not certificate chains, both when parsing/providing to the server and performing peer verification.