We are excited to announce an important update for our Apple device users: wolfSSL’s support for installed system CA certificates now extends to Apple devices! This means that applications can now use the convenient wolfSSL_CTX_load_system_CA_certs() API to authenticate TLS connections against certificates installed to the system trust store.
Due to recently introduced OS changes around application sandboxing, applications running on non-macOS Apple platforms can no longer directly access trusted certificates installed on the system. This prevents these certificates from being enumerated and loaded into wolfSSL to use for authentication.
To accommodate this API restriction, we have introduced a new certificate verification routine that relies on Apple’s Security framework APIs to authenticate peer certificates. TLS peer certificates are first checked against the trusted CAs loaded into wolfSSL’s certificate manager, as they always have been. However, if this check is unsuccessful, wolfSSL will now attempt to validate the peer certificate chain using the system trust APIs. This new routine is only used when support for system CA certificates is enabled and when compiling for an Apple target.
If you are building wolfSSL for iOS using configure, this new feature will be on by default and no additional configuration is required by the user. If you are building with a user_settings.h file, you must define the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION preprocessor macros, as well as ensure you are linking wolfSSL against the Apple CoreFoundation and Security frameworks. Calling wolfSSL_CTX_load_system_CA_certs() before creating a new TLS connection will now enable system CA certificates to be used for authenticating a peer connection.
To use this feature on MacOS, the steps are the same except that you must define the WOLFSSL_APPLE_NATIVE_CERT_VALIDATION preprocessor macro even when building with configure, as the feature is not on by default.
If you are using cURL + wolfSSL, ensure that the feature is enabled in your wolfSSL build as described above, then set the CURLSSLOPT_NATIVE_CA curlopt in your curl application to indicate the native certificate verification routines should be used.
if you have questions, comments or suggestions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now