From caa098eee1b3eeee425db0f2ca8e4423e612f2ac Mon Sep 17 00:00:00 2001 From: Furo Date: Mon, 30 Mar 2026 19:03:23 +0200 Subject: [PATCH 1/2] Fixed `SSL CA` chain on `iOS` and `tvOS` --- src/hx/libs/ssl/Build.xml | 9 +++++++-- src/hx/libs/ssl/SSL.cpp | 42 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/src/hx/libs/ssl/Build.xml b/src/hx/libs/ssl/Build.xml index 2240f564a..af1f3cbc9 100644 --- a/src/hx/libs/ssl/Build.xml +++ b/src/hx/libs/ssl/Build.xml @@ -23,8 +23,13 @@ - - +
+ + + + + +
diff --git a/src/hx/libs/ssl/SSL.cpp b/src/hx/libs/ssl/SSL.cpp index 36d3897ed..a7b4c34e0 100644 --- a/src/hx/libs/ssl/SSL.cpp +++ b/src/hx/libs/ssl/SSL.cpp @@ -14,9 +14,12 @@ typedef int SOCKET; #include #include -#if defined(NEKO_MAC) && !defined(IPHONE) && !defined(APPLETV) +#if defined(NEKO_MAC) || defined(IPHONE) || defined(APPLETV) #include #endif +#if defined(IPHONE) || defined(APPLETV) +#include +#endif typedef size_t socket_int; @@ -439,6 +442,37 @@ static int verify_callback(void* param, mbedtls_x509_crt *crt, int depth, uint32 CertCloseStore(store, 0); return 0; } +#elif defined(IPHONE) || defined(APPLETV) +static int verify_callback(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) { + // use mbedtls validate the chain structure and we validate with the iOS system trust store to replace the missing CA bundle + if (depth != 0) { + *flags = 0; + return 0; + } + + CFDataRef derData = CFDataCreate(NULL, crt->raw.p, crt->raw.len); + if (!derData) return 0; + + SecCertificateRef secCert = SecCertificateCreateWithData(NULL, derData); + CFRelease(derData); + if (!secCert) return 0; + + SecPolicyRef policy = SecPolicyCreateSSL(true, NULL); + CFArrayRef certs = CFArrayCreate(NULL, (const void **)&secCert, 1, &kCFTypeArrayCallBacks); + SecTrustRef trust = NULL; + SecTrustCreateWithCertificates(certs, policy, &trust); + CFRelease(certs); + CFRelease(policy); + CFRelease(secCert); + + CFErrorRef err = NULL; + bool trusted = SecTrustEvaluateWithError(trust, &err); + CFRelease(trust); + if (err) CFRelease(err); + + if (trusted) *flags = 0; + return 0; +} #endif Dynamic _hx_ssl_conf_new( bool server ) { @@ -451,7 +485,7 @@ Dynamic _hx_ssl_conf_new( bool server ) { conf->destroy(); ssl_error( ret ); } -#ifdef NEKO_WINDOWS +#if defined(NEKO_WINDOWS) || defined(IPHONE) || defined(APPLETV) mbedtls_ssl_conf_verify(conf->c, verify_callback, NULL); #endif mbedtls_ssl_conf_rng( conf->c, mbedtls_ctr_drbg_random, &ctr_drbg ); @@ -583,6 +617,10 @@ Dynamic _hx_ssl_cert_load_defaults(){ CFRelease(keychain); if( chain != NULL ) return chain; +#elif defined(IPHONE) || defined(APPLETV) // SystemRootCertificates.keychain doesn't exist on iOS and tvOS so i use a cool workaround + sslcert *chain = new sslcert(); + chain->create(NULL); // creates a ssl cert with only the default ones that iOS or tvOS trust in the os + return chain; #endif return null(); } From eda5ad1fd79d79b29b76ca68a51282bb471e0edd Mon Sep 17 00:00:00 2001 From: MAJigsaw77 <77043862+MAJigsaw77@users.noreply.github.com> Date: Sat, 18 Apr 2026 00:26:36 +0300 Subject: [PATCH 2/2] Fix `certificate` check typo --- src/hx/libs/ssl/SSL.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hx/libs/ssl/SSL.cpp b/src/hx/libs/ssl/SSL.cpp index a7b4c34e0..64a2e03fa 100644 --- a/src/hx/libs/ssl/SSL.cpp +++ b/src/hx/libs/ssl/SSL.cpp @@ -499,7 +499,7 @@ void _hx_ssl_conf_close( Dynamic hconf ) { void _hx_ssl_conf_set_ca( Dynamic hconf, Dynamic hcert ) { sslconf *conf = val_conf(hconf); - if( hconf.mPtr ){ + if( hcert.mPtr ){ sslcert *cert = val_cert(hcert); mbedtls_ssl_conf_ca_chain( conf->c, cert->c, NULL ); }else{