Bug 7394 - instructions for self signed certificate with iOS are out of date
Summary: instructions for self signed certificate with iOS are out of date
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Target Milestone: 4.11.0
Assignee: Samuel Mannehed
Keywords: ossman_tester, prosaic
Depends on: 7401
  Show dependency treegraph
Reported: 2019-10-08 15:24 CEST by Pierre Ossman
Modified: 2019-10-16 13:57 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2019-10-08 15:24:55 CEST
It seems Apple has added an extra step to get self signed certificates working. You now have to manually go in and approve the downloaded certificate as a provider before it can be enabled with full trust.

So it seems we need to update our instructions for this workaround.
Comment 2 Samuel Mannehed cendio 2019-10-15 14:10:56 CEST
Fixed for iOS 12 now.
Comment 3 Pierre Ossman cendio 2019-10-16 09:42:59 CEST
The iPad got upgraded to iOS 13 and I cannot get things to work. The instructions seem correct, but Safari refuses to connect to the VNC session.

This is what I see in the server log:

> ...
> 2019-10-16 09:38:32 INFO tlwebaccess[37906]: [::ffff:] 'GET /vendor/pako/lib/zlib/inffast.js HTTP/1.1' 200 -
> 2019-10-16 09:38:32 INFO tlwebaccess[37903]: [::ffff:] 'GET /vendor/pako/lib/zlib/adler32.js HTTP/1.1' 200 -
> 2019-10-16 09:38:32 INFO tlwebaccess[37909]: [::ffff:] 'GET /vendor/pako/lib/zlib/inftrees.js HTTP/1.1' 200 -
> 2019-10-16 09:38:33 ERROR tlwebaccess[37912]: [::ffff:] gnutls_handshake: The TLS connection was non-properly terminated.
> 2019-10-16 09:38:33 INFO tlwebaccess[37913]: [::ffff:] 'GET /app/images/error.svg HTTP/1.1' 200 -

So it seems it bails out during the TLS handshake for the WebSocket connection. Just like when it doesn't like a certificate.

Works fine for eudemo though, so it doesn't seem to be a general problem.
Comment 4 Pierre Ossman cendio 2019-10-16 13:11:11 CEST
Hooked it up to the mac and got an error code out of it: "OSStatus -9807", which apparently means errSSLXCertChainInvalid.

So right now it does indeed look like they've changed something regarding certificate checking. :/
Comment 5 Pierre Ossman cendio 2019-10-16 13:43:30 CEST
Seeing this connection error for multiple machines, so it is unrelated to this bug. Moving to bug 7401.
Comment 6 Pierre Ossman cendio 2019-10-16 13:57:06 CEST
After producing a proper certificate on bug 7401 everything now works fine. So the new instructions are correct.

Note You need to log in before you can comment on or make changes to this bug.