I run my own CA and install it as a trusted CA via Configuration Profiles. This works fine, including iOS 17.

Does this break in iOS 18 or does this affect only self-signed (untrusted) certificates?

I switched to letsencrypt certs for my imap server. Works well, IMO better than the self-signed ones I used before.

I wish they could break Snapchat, Facebook etcs ‘s self-signed certs. I own the device, why can’t I see the traffic to and from all of these apps if I add my self-signed cert and approve to use a MITM-proxy.

Most apps work, but not everyone.

Often called certificate pinning.

I think I've seen this before, in previous versions of iOS. You used to be able to just force a trust, but it would ask you again sometimes. I ended up just using LetsEncrypt certs, the one I use on the main website. Then I have a hook that also copies it to mailu.

And the Apple fanboys are loose again...

Regardless how your opinion on PKI and self-signed certificates is, shouldn't we at least be bothered by the fact that Apple just switched off this feature without any communication whatsoever? The community was literally in the dark about whether this is an official policy change or a bug.

Google, in situations like this, at least made some corpospeak press release officially "sunsetting" the feature and provided an official deprecation timeline so users have time to adapt.

Apple is apparently just leaving their users stranded and unable to access their email.

tangent, but you can’t send mail on ios with an idn because “the sender address was invalid”, despite it working in macos. i’ve read this is caused by a broken regex check. if any apple employees are reading please take a look

Can you add your own CA cert to your device?

It's 2024, PKI best practices are well known and well documented, anybody still using a self-signed certs on their mail server (or anywhere) is either lazy or stupid.

Plenty of existing applications will refuse to connect to a self-signed certificate on the belief that allowing the end-user to confirm a certificate offers basically 0 protection against malicious actors.

I think the solution to this is to:

a) run your own private root CA

b) install the public part of the root CA on your device and trust it (basically the same as many major enterprise end users of android and ios devices need to do already, so this functionality is extremely unlikely to be removed from the operating system)

c) use the root CA to sign a cert for your mail server

Yes it's a bit more hassle than just trying to tell the mail client to trust your self-signed cert that was generated on the mail server and signed by nothing, but I can understand why apple (given the population of hundreds of millions of NON TECHNICAL end users) doesn't want people just blindly clicking through "yes/I accept/trust this server" self signed cert warnings.

Does anyone know if there is any way to get iOS's mail client to present a client cert? Or, barring that, any form of self-hosted MFA.

:-(

hey lurking apple devs- can someone please escalate this?

I feel like this going to happen to the permissionless side of crypto assets just like whats happened to most of the web 1.0 stuff

Walled garden things will take over and something is going to happen to EOAs that make them nerfed or rare

but at the same time, that might take 40 years just like these web 1.0 problems so its fine for now

https://developer.apple.com/forums/thread/732409 (fixed url)

seems like the issue is specifically with IMAP- I can confirm that calendar syncing works fine with the self signed cert.

this is really disappointing.

So in summary: iOS used to accept untrusted certificates, yikes! Now, it validates the server cert, and people are upset? This blatantly insecure thing is broken now and the posters don't want to set it up securely?

It seems like these people are just struggling with how to properly set up their email server and clients when using a private CA. If you're going to use your own CA, then configure your client to trust it. The rest of us should be able to enjoy secure defaults and not have to worry about our less informed family members being tricked into bypassing basic security protections like TLS validation.