HOW TO: Intercept iPhone and iPad SSL connections that require a valid SSL certificate

September 11, 2012

With the rising popularity of iPhone and iPad devices, we are running into more and more applications which require a valid SSL certificate for all connections. In order to properly assess the security of these applications, we need to intercept the SSL connections they make. This post shows our technique for doing this.

Please note that this is not a vulnerability in iOS, and that everything is working as intended. This is the method we use for intercepting SSL connections made by iOS applications, and assumes you’re already able to forward such connections (using pf, iptables, or something similar) to your machine. This also assumes that you will be using burp suite proxy

1. Firstly, set up a working directory. This blog post assume you’re working with the following working directory structure:

mkdir ~/iosssl
cd ~/iosssl
mkdir {conf,certs,private,newcerts}
echo 01 > serial
touch index.txt

2. Then, copy your “openssl.cnf” file from somewhere in “/etc” into “conf/caconfig.cnf”

The location of your “openssl.cnf” file may vary  “find /etc | grep openssl.cnf” may help.

cp /etc/pki/tls/openssl.cnf ~/iosssl/conf/

3. Make sure you have these two sections in ~/iosssl/conf/openssl.cnf

#If your file doesn’t have an “alt_names” section, add the whole thing to the end. Otherwise, change the section to match this content.
#You may want to add more lines but I generally find nine is enough..

DNS.1 = *
DNS.2 = *.*
DNS.3 = *.*.*
DNS.4 = *.*.*.*
DNS.5 = *.*.*.*.*
DNS.6 = *.*.*.*.*.*
DNS.7 = *.*.*.*.*.*.*
DNS.8 = *.*.*.*.*.*.*.*
DNS.9 = *.*.*.*.*.*.*.*.*
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

Then, find the following lines in your working copy of openssl.cnf, and edit them as follows:

certs         = $dir/cacert.pem
dir            = .

4. Then generate a CA certificate using openssl:

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 666 -config conf/openssl.cnf

OpenSSL will ask a few questions before generating a CA certificate. It won’t matter what answers you supply, but remember the passphrase which you set.

5. Then generate a server certificate:

openssl req -new -nodes -out server.req.pem -keyout private/server.key.pem -config conf/openssl.cnf

Again, OpenSSL will ask a few questions – it won’t matter what answers you supply.

6. Using the CA certificate generated in step 4, sign this new server certificate (you will need to enter your passphrase from step 4, and then press ‘y’ twice):

openssl ca -out cert.crt -extensions v3_req -config conf/openssl.cnf -infiles server.req.pem

7. Package this signed server cerficiate in p12 format:

openssl pkcs12 -export -in cert.crt -inkey private/server.key.pem -out cert.p12

OpenSSL will ask for an export password – it doesn’t matter what you use, but remember this password as you’ll need it in the next step.

8.     Add this key to the relevant proxy listener. The screenshots below show how to do this in Burp Suite, the procedure will change depending on the proxy you use.

Note that to make the iOS application’s connections go through your proxy, you may need to forward connections from the iOS device to your proxy listener manually, using ‘pf’ or a similar tool.

Furthermore, make sure your proxy listener is active on the correct interface(s), your local firewall allows the connection, and that you supply the correct password for your p12 format key, as in the following screenshots:

9. Copy the file “cacert.pem” to a windows system

Rename this system to cacert.crt. Double click it, and import it into the “Trusted Root Certification Authorities” container. I’m not sure if it needs to go there, but better safe than sorry.

Also, remember to remove it from the system once we’re done, or someone can use it to intercept the Windows systems traffic as well.

10. Open the “iPhone configuration utility” ( ) on Windows and create a new configuration profile.

You must fill out the general tab, but the values are irrelevant.

11. Click the credentials menu inside this profile, and “configure” a credential.  Select the certificate you just added to your Windows system, as in the following screenshot:

Plug the device in to your Windows system, and navigate to it in the devices menu. Click the configuration profiles tab, and apply the new policy. When prompted (on the iPad) to accept the certificate, accept it. When this is complete, unplug the device.

You can now intercept connections from your iOS application which would otherwise require a valid certificate. As your CA certificate is now trusted by the iOS device, your server certificate (loaded into burp) is also trusted, and the iOS application will happily send it’s traffic through burp (or whatever proxy you choose).

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *