MacOS – OS X 10.11 CardDAV with self-signed certificate

carddavcertificatecontactskeychainmacos

The CardDAV server I'm trying to connect to uses a self-signed certificate. Unfortunately I cannot do anything about it.

In previous OS X versions, when connecting to this server the system asked if I want to connect using this insecure certificate. I could accept and continue.

When trying the same thing in the current OS X version, this does not work. The Contacts.app only show a connection issue.

When looking into the logs in Console, I could find this error:

02/12/15 00:55:39,637 Contacts[39186]: [CardDAVPlugin-ERROR] -getPrincipalInfo:[_controller discoverServer https://user@host:port(null)] 
    Error Domain=NSURLErrorDomain
    Code=-1200
    "An SSL error has occurred and a secure connection to the server cannot be made."
    UserInfo={
        _kCFStreamErrorCodeKey=-9801,
        NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?
    }

No alert, no asking for proceeding anyways.

Now I thought I might be able to download the certificate, add it to the keychain and set the default trust to "Always Trust".

echo -n | openssl s_client -connect host:port | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > carddav.cer

Got the certificate, added it to the keychain, set the trust and tried again – bummer:
Same error again and still no confirmation dialog.

Now my question is: Is there any way to allow Contacts.app to connect to my server or to bring back the confirmation dialog?

EDIT

As requested, here are my SSL connection details:

CONNECTED(00000003)
depth=0 CN = , O = , OU = , ST = , C = , L = , emailAddress = 
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = , O = , OU = , ST = , C = , L = , emailAddress = 
verify return:1
---
Certificate chain
 0 s:/CN=/O=/OU=/ST=/C=/L=/emailAddress=
   i:/CN=/O=/OU=/ST=/C=/L=/emailAddress=
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=/CN=/O=/OU=/ST=/C=/L=/emailAddress=
issuer=/CN=/O=/OU=/ST=/C=/L=/emailAddress=
---
No client certificate CA names sent
---
SSL handshake has read 1198 bytes and written 658 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1449069604
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
DONE

Best Answer

According to the Security Enhancements section of the OS X 10.11 pre-release notes on Apple's Developer web site

App Transport Security (ATS)

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in OS X v10.11 and iOS 9. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.

Related Question