Skip to main content

Network Security

On December 6th, 2018 iOS 12.1.1 came out and now requires that all publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15th, 2018 meet the Certificate Transparency policy to be trusted on Apple's platforms.  This will mean that all certificates used in iOS applications will need to include two signed timestamps by a certificate transparency log to be trusted in your application.  If thes

As a long time mobile and server side engineer I have been involved in many different types of projects over the years.  Some small, and some large, but all with one recurring trend; the mobile clients need to consume data from a server to perform a task.  Sometimes this data being consumed is small, and other times the application needs to continuously poll or be notified of new data to keep the application up to date it real time. So far, this is probably nothing out of the ordinary, right?

OpenSSL 1.1.1 LTS
Featured Post

On September 11th, 2018 the OpenSSL team released a Long Term Support (LTS) version (1.1.1) of OpenSSL which will be supported by the community and the core team for the next five years.  This LTS release includes many new features such as TLS 1.3, ABI version compatibility, new cryptography algorithms, and an overhaul in many areas to the random number generators included in OpenSSL.

Python just received a minor version update to Python 3.7 with many new performance enhancements, added features, and module improvements to the language.   One of the existing Python modules in 3.7 that received some nice new enhancements is the ssl module. The updated ssl module now has enhanced hostname support, updates to how blacklisting and whitelisting work, but most importantly, conditional support for TLS 1.3 connections.

In the last couple of months I have found myself in situations where I have needed to diagnose transport security issues from from the context of an iOS application.  This often can be difficult from the client side perspective as you may not know anything about the minimum TLS version, preferred cipher suite, or the certificate in use on the server.  Often, the best move you have, if you do not have a direct line to the server side team, is to test different settings to diagnose what works and what does not.