SSL renegotiation bug

Number:rdar://11495354 Date Originated:21-May-2012
Status:Open Resolved:
Product:iPhone SDK Product Version:5.1
Classification:security Reproducible:always
During the renegotiation of the SSL, initiated by the server, the NSURLConnectionDelegate's methods are not called. This results in a failure when the server uses CA which is not in the system's list of trusted CAs.

Steps to Reproduce:
1. Configure a server with a self-signed CA.
2. Enable SSL renegotiation on server side, and make some logic that will trigger it
3. Build an iApp which will connect to this server and implement the NSURLDelegate's methods to do proper evaluation of the server certificate against the custom CA.
4. Sand a request to the server which will trigger the SSL renegotiation to happen.

Expected Results:
The connection should be established.

Actual Results:
The connection fails due to an invalid server certificate (check the notes below).

Xcode 4.3.2 / iOS SDK 5.1 / iPhone 5.1 Simulator  / iPhone 4S with iOS 5.1

When the connection is initially established, all delegate methods are called properly.
It is in the renegotiation phase when the delegate methods are not called and the server certificate is validated against the system's CAs, which fails. If the custom CA is installed as a trusted CA on the phone, than the renegotiation is successful.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!