TLS support for chained PKCS12 certificates

[camelpunch]

This client currently supports leaf client certificate/key pairs but not certificate chains, both when parsing/providing to the server and performing peer verification.

[jsembdner]

I guess I am running into this problem. In my app I want to use a .P12 certificate that trusts a self-signed CA to connect to a RabbitMQ service.

The following error is what I get: Error Domain=kCFStreamErrorDomainSSL Code=-9831 Which translates to: errSSLPeerUnknownCA = -9831, /* unknown Cert Authority */

Are there any pointers to how to enable the library to handle this case?

[michaelklishin]

That is possible already.

This issue is about supporting certificate chains. RMQTLSOptions needs to parse certificate chains, peer verification mechanism should implements its traversal (or enable it in case there's a Foundation library that can do it) per RFC 5280, 6818

[michaelklishin]

CONTRIBUTING.md describes how to run TLS integration tests. CertificateFixtures demonstrates how example client certificate is loaded by the test suite.

[michaelklishin]

I cannot comment on a single error message and our team does not use GitHub issues for investigations (that's what the RabbitMQ mailing list is for). However, it looks like it is the client complains about an unknown certificate authority, in which case you must make the server CA certificate trusted on the device.

RabbitMQ has a TLS troubleshooting guide, Apple documentation has a note on self-signed CAs and how to make them trusted on a given device.