Jump to content
Christian Stück

MDM APNS Certificate validation

Recommended Posts

Hello Forum,

after some work i got my first iPhone registered at mdm 😄

But it only connects once and i get the error "APNS service certificate validation failed"
I allready checked kb for mdm troubleshooting and investigated root certs:

grep Entrust /etc/pki/tls/certs/ca-bundle.crt
# Entrust Root Certification Authority
# Entrust Root Certification Authority - G3
# Entrust.net Certification Authority (2048)
# Entrust Root Certification Authority - EC1
# Entrust Root Certification Authority - G2

i tried openssl:

openssl s_client -connect gateway.push.apple.com:2195

[...]

SSL handshake has read 4066 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DES-CBC3-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 3CE83A11424D2666E442824A8DE22C3576CB941119068687B2DD39BF337980B5F4D795D179454AC9F669437536654E7B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1544112439
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

 

i'm after this for a few hours now - maybe someone has some ideas for me?

i was thinking about my firewall but no outgoing traffic is blocked at all.

Thanks in advance!

Christian

Share this post


Link to post
Share on other sites

Hello,

On v7 we don't use default OpenSSL verification, but eset custom one.

This depends on a directory (OpenSSL CAPath) and certificates stored in it. We are aware we don't support some "styles" of how trusted certificates are stored. (AFAIK bundles)

Please check OpenSSL default CAPath in account MDM is run. If that matches system wide configuration (where s_client verified ok), then root CAs are most likely stored in an unsupported way. You should be able to workaround this by adding entrust root CAs as PEM encoded files (our verification implementation enumerates all files and folders and attempts to read them) into OpenSSL CAPath directory.

HTH

 

Edited by Mirek S.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×