mfrister / pushproxy Goto Github PK

Hi,
How can I use meeee pushproxy to see iMessage for OS X messages.app?

I get the following error when a client connects to the proxy:

2015-08-05 12:45:23+0200 [#0] New connection from 192.168.1.83:49355
2015-08-05 12:45:27+0200 Unable to connect to peer: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL23_GET_CLIENT_HELLO', 'unknown protocol')]

What gives?

I'm happy to have found this project as I've spent a day or so trying to do exactly the same thing a few months back without much luck.

My test setup is OS X 10.7.4 running the iMessage beta. I did the following so far to get things setup:

• ran setup/generate-hosts-file.py 127.0.0.1 and added the entries to my /etc/hosts file
• ran setup/osx/extract_certificate.py -f to extract my device certificate from the applepushserviced certificate chain
• generated a self signed certificate and added to my system keychain. The CNAME is courier.push.apple.com and it's trusted by all users.
• I attempt to run ./runpush.sh but get the stack trace below. It appears to be unhappy with the serverChain which defaults to ../certs/apple/apple-cert-chain.pem and it says "no start line" in the PEM file which would seem like it is complaining about an invalid PEM file, but that doesn't seem like a likely cause.

Any suggestions?

Unhandled Error
Traceback (most recent call last):
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/application/app.py", line 652, in run
    runApp(config)
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/scripts/twistd.py", line 23, in runApp
    _SomeApplicationRunner(config).run()
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/application/app.py", line 386, in run
    self.application = self.createOrGetApplication()
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/application/app.py", line 451, in createOrGetApplication
    application = getApplication(self.config, passphrase)
--- <exception caught here> ---
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/application/app.py", line 462, in getApplication
    application = service.loadApplication(filename, style, passphrase)
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/application/service.py", line 405, in loadApplication
    application = sob.loadValueFromFile(filename, 'application', passphrase)
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
    exec fileObj in d, d
  File "pushserver.py", line 55, in <module>
    contextFactory = factory.getServerContextFactory()
  File "/Volumes/Big/Projects/iChatRev/pushproxy/src/icl0ud/push/intercept.py", line 248, in getServerContextFactory
    self.serverChain
  File "/Volumes/Big/Projects/iChatRev/pushproxy/src/icl0ud/push/intercept.py", line 256, in __init__
    ssl.DefaultOpenSSLContextFactory.__init__(self, cert, cert)
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/internet/ssl.py", line 68, in __init__
    self.cacheContext()
  File "/usr/local/Cellar/python/2.7.2/lib/python2.7/site-packages/twisted/internet/ssl.py", line 78, in cacheContext
    ctx.use_privatekey_file(self.privateKeyFileName)
OpenSSL.SSL.Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

Failed to load application: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

I tried to install it on OS X 10.9.2 and imported all of the certificates I created in key chain. Now I'm at the point where I need to patch apsd I don't know what is meant with code signing identity.
<code signing identity>: Name of a code signing certificate understood by the codesign utility, make sure your machine trusts this cert (root)
I tried Common Name of the cert also name of the file of the cert but there is
a error from the python-program

I want to add APNS protocol documentation to the hack-different/apple-knowledge repository. I would like to use apple-push-protocol-ios5-lion.md as a base, to avoid having to write the document from scratch. I will likely edit it a lot to add my own findings later, but it will be easier to use this as a starting point.

The pushproxy repository has GPLv3 under LICENSE so it's presumed to apply to every file in the repository, including the documentation. Could you give us permission to relicense apple-push-protocol*.md under MIT + CC-BY-SA? Credit will be preserved in git history.

Thanks!

Hi, @meeee. Thank you for the new updates.
So the issue is in the title. I copied nimble binary to /private/var/Keychains on my iPhone, changed permission and got this error 'Illegal instruction: 4'.
What does nimble do? Or where I can find a working version?
Another question is do I have to have device certificate for every device? I already use PushProxy, so can I use a certificate extracted from OS X?
iPhone 6, iOS 8.1.2.

Thanks for the great project!
I'm trying to make it work on 10.8.4, when patch apsd ,i got this:

$ setup/osx/patch_apsd.py apsd ca.der server.der louis
Traceback (most recent call last):
  File "setup/osx/patch_apsd.py", line 93, in <module>
    main()
  File "setup/osx/patch_apsd.py", line 34, in main
    patch(apsd_path, dict(replacements), output_path)
  File "setup/osx/patch_apsd.py", line 79, in patch
    " or it occurs multiple times: %s" % repr(needle))
ValueError: Source binary doesn't contain replacement key  or it occurs multiple times: '\xb9`\x04\x00\x00'

and I have copy /System/Library/PrivateFrameworks/ApplePushService.framework/apsd to push proxy-master/apsd.

I'm really banging my head against the wall here :( I have tried creating certificates using the keychain assistant in OS X and manually using openssl; both have left me defeated. I'm using OS X 10.9.5 and iOS 7.1.2. I have had the most success using the keychain assistant; using openssl I had problems adding the subjectAlt field so the connections weren't being routed properly. The proxy is indeed receiving connections, but I see the following SSL error(s) after the iOS device fetches the bag:

2015-05-12 21:35:13-0700 [#13] New connection from 192.168.1.70:49240
2015-05-12 21:35:14-0700 Unable to connect to peer: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/posixbase.py:258:_disconnectSelectable
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/tcp.py:267:readConnectionLost
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/tcp.py:287:connectionLost
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/protocols/tls.py:460:connectionLost
--- <exception caught here> ---
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/protocols/tls.py:356:_flushReceiveBIO
build/bdist.macosx-10.9-intel/egg/OpenSSL/SSL.py:1320:recv
build/bdist.macosx-10.9-intel/egg/OpenSSL/SSL.py:1187:_raise_ssl_error
build/bdist.macosx-10.9-intel/egg/OpenSSL/_util.py:48:exception_from_error_queue

iOS apsd log: http://pastebin.com/EUwZYBBi

I followed your instructions to the letter (3 times over to ensure I didn't miss anything). My certs/courier.push.apple.com contains server.pem with the intermediate crt/key and the leaf (courier.push.apple.com) crt/key. I created three certs; one root CA, one intermediate CA and a leaf. I added O/L/S entries for all matching your specifications (Apple Inc., Cupertino, etc.). I was not able to patch apsd on the OSX machine; it throws some errors, presumably because your patching routine is out of date with what 10.9.5 has, but I didn't see specific apsd errors like other people with issues had to suggest that apsd needs to be patched. It looks more like the iPhone is not accepting the certs (see iOS log above). It is also worth noting that the iOS device only shows the root (init-p01...) cert as 'Trusted' after being installed; the intermediate CA and leaf both show as 'Not Trusted' for some reason. I did have the intermediate CA showing as trusted during one of my attempts but that still yielded the same errors.

From https://github.com/meeee/pushproxy/blob/master/src/icl0ud/push/intercept.py#L47

def connectionLost(self, reason):
    # TODO notify handlers
    # FIXME fix this shutdown
    if self.peer is not None:
        self.peer.transport.loseConnection()
        self.peer = None

This shutdown used to be rare but it is occurring more often now where the iPhone sporadically loses its connection to the proxy server. It seems to happen most during periods of high traffic of APSNotifications. I have been able to find no meaningful info from debugging, and updating biplist (1.0.1), Twisted (15.5) and pyOpenSSL (0.15.1) to latest version had no effect. The 'reason' parameter under connectionLost also reveals no useful info:

Peer connection lost ([Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly. ])

Is it possible to perform more debugging or logging and determine what is triggering the connection closure? Trying to reconnect if you catch it in the InterceptClient factory is not helpful either, it simply starts an endless loop of errors.

One thing to note is that this seems to occur after the server sends a series of APSNotifications to the client, as such:

2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00
2016-01-27 15:04:37-0500 [#3] -> APSNotificationResponse message: 00000001 status: 00

I tried finding out any means to contact the person behind this GitHub account, but without luck. I respect privacy, so this will not be a request for an e-mail address or something.
I would just like to notify you that I've opened a question on security.stackexchange.com:

http://security.stackexchange.com/questions/56749/is-apples-push-notification-service-implementation-vulnerable-to-a-mitm-attack

...that I'm sure you would be more than qualified enough to answer(related to apsd) and pick the running reputation bounty(200) and possible lots of up-votes. If you are participating there already, why not! The bounty is valid for 4 more days and I don't believe there will be anyone else there to take it, judging from the responses till now.

Btw. PushProxy is a superb project! Great work!

Sorry this isn't really an issue but I don't see any other means of making contact. I am looking to hire someone to create a small project that is related to this project. I need a TCP client that simply connects to push servers and receives any new notifications for a device (no device powered on). I'd assume a lot of functionality could be borrowed from this project. Please email me, at recruitmentdev33 [/at] live dot com. Thanks

Hi, I am unable to successfully get apsd to accept the proxy certificates. I tried adding com.apple.apsd to SSLKillSwitch2, but iOS is still rejecting the certificates for the push proxy. These same certificates and setup work great on iOS 7 and 8. iOS 9 is doing something else, presumably with App Transport Security (ATS). I did already verify that the generated certs are 2048 bit and are TLS 1.2, which is in compliance with ATS. I'm not sure about the 'Perfect forward secrecy cipher suites' requirement of ATS. Here is some log data:

Jan 16 21:06:57 x-iPhone apsd[265]: MS:Notice: Injecting: com.apple.apsd [apsd] (1240.10)
Jan 16 21:06:57 x-iPhone apsd[265]: MS:Notice: Loading:       /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.dylib
Jan 16 21:06:57 x-iPhone apsd[265]: === SSL Kill Switch 2: Preference set to 1.
Jan 16 21:06:57 x-iPhone apsd[265]: === SSL Kill Switch 2: Subtrate hook enabled.

and then when it tries to connect to push server:

Jan 16 21:07:33 x-iPhone apsd[265]: CFNetwork SSLHandshake failed (-9801)

When the device attempts connection, the push proxy server complains with an exception containing ssl handshake failure SSL3_READ_BYTES

Can you tell me more about creating SSL server certificate ? I've tryed create self-signed certificate (http://www.akadia.com/services/ssh_test_certificate.html), but gave me error :

OpenSSL.SSL.Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]

Dear,

When open app on iPhone, apple will check the certificate validation for app. As I know, the following checking will be made by apple.

Certificate validation
The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server isn’t interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See “Network Configuration Requirements,” earlier in this appendix.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between three and seven days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired.

If a revocation is received at that time, the app is prevented from running.

Revoking a distribution certificate invalidates all of the apps you’ve signed with it. You should revoke a certificate only as a last resort— if you’re sure the private key is lost or the certificate is believed to be compromised.

Can we use this to prevent connecting Apple’s OCSP server ?
Thanks a lot.

Hello, i am trying to send or to connect to iMessage with an python script.
But i can't understand what is the push_token

When i connect i got this message from apple :

The device certificate is valid for only 3 years, and these never seem to be refreshed once they expire.
So quite a number of older devices have expired client certificates.
Apparently courier.push.apple.com does not care about this.

However with openssl (as used by pushproxy) it does not seem possible to request a clientcertificate ( the 'SSL.VERIFY_PEER' flag passed to set_verify ), and ignore the validity of this client certificate.

I've been trying to set up push proxy locally. I've set up a certificate chain with a root, intermediate, and leaf certificates. However, psd rejects the connection with the message Found 1 certificate(s), expected more. I am also getting Root certificate is not explicitly trusted even though it is marked as trusted in the keychain.

Hi. I'm trying to debug certificate verification on macOS 10.12.4.
SIP is disabled. Error when executing dtrace script:
dtrace: invalid probe specifier security_debug*:Security:secdebug_internal:log /copyinstr(arg0) != "cmutex"/ { printf("%s %s %s", execname, copyinstr(arg0), copyinstr(arg1)) }: probe description security_debug*:Security:secdebug_internal:log does not match any probes

I wanted to get your opinion before making a pull request. There are still a few message fields that have something like:

Unknown1
Unknown2
...

Would it be helpful if the numerical part of these corresponded to the field identifier? So that unknownString4 became unknownString0A or whatever. It's a small change and I'm not even sure how helpful it will be in practice, but seems more useful than the current scheme.

I'll be happy to make a pull request for it if you find it useful.

in readme file，i read "Store the generated certificate and private key in PEM encoding at the following path:" , but i don't known how to store to PEM , Can you tell me the detailed steps it?

thank you !!!

It seems at some point the HexdumpHandler got borked. Right now it is attempting to print hex for APSMessage objects when it expects a file descriptor it can .read() bytes from.

The download link for the nimble binary is no longer valid: http://xs1.iphwn.org/releases/PushFix.zip

If you have a copy it would be greatly appreciated if you could mirror it until the original link is back again.

Thanks for the great project!
I'm trying to make it work on 10.10, I didn't run it on previous osx's, so I think it doesn't work because I have missed something.

I have generated certificates with the script from the first answer here: http://superuser.com/questions/462295/openssl-ca-and-non-ca-certificate. I deleted -subj options and generated certs with the following CNs: root12.apple.com, second.apple.com, courier.push.apple.com.

Added rootCAcert.pem to system keychain and store the certificate, the intermediary CA and keys to the server.pem and copied it to certs/courier.push.apple.com/server.pem

cat cert/cert.pem cert/private/certkey.pem CA/CAcert.pem CA/private/CAkey.pem > server.pem 

and generated cert for init-p01st.push.apple.com

openssl genrsa -out ca-init-apple.key 1024
openssl req -new -key ca-init-apple.key -out ca-init-apple.scr
openssl x509 -req -days 365 -in ca-init-apple.scr -CA rootCA/rootCAcert.pem -CAkey rootCA/private/rootCAkey.pem -set_serial 01 -out ca-init-apple.crt
cat ca-init-apple.crt ca-init-apple.key > ca-init-apple.pem

here's a link: https://www.dropbox.com/s/rrct0wviiv2esuj/my_cert.zip

Patched apsd

 openssl x509 -in rootCA/rootCAcert.pem -out rootCA/rootCAcert.der -outform DER
sudo setup/osx/patch_apsd.py /System/Library/PrivateFrameworks/ApplePushService.framework/apsd my_cert/rootCA/rootCAcert.der "Mac Developer: XXXX XXX (XXXXXX)”
sudo mv /System/Library/PrivateFrameworks/ApplePushService.framework/apsd-patched /System/Library/PrivateFrameworks/ApplePushService.framework/apsd

Output of sudo python utils/find_certs.py /System/Library/PrivateFrameworks/ApplePushService.framework/apsd

+ 699872 Found cert with CN "courier.sandbox.push.apple.com" and serial "1277027356"
+ 701008 Found cert with CN "courier.push.apple.com" and serial "1277256594"
+ 702128 Found cert with CN "courier.push.apple.com" and serial "1276925395"
+ 703296 Found cert with CN "Entrust Certification Authority - L1C" and serial "946072060"
+ 704576 Found cert with CN "root12.apple.com" and serial "10596108112207272420"
+ 1009884 Found cert with CN "Apple Worldwide Developer Relations Certification Authority" and serial "25"
+ 1010947 Found cert with CN "Apple Root CA" and serial "2"
+ 1012162 Found cert with CN "Mac Developer: XXXX XXX (XXXXXX)” and serial "5931679684XXXX51112"

sudo killall apsd

Extracted OS X Certificates
sudo setup/osx/extract_certificate.py -f

Configurated Bag
sudo setup/bag.py courier.push.apple.com my_cert/ca-init-apple.pem -s

Hosts

setup/generate-hosts-file.py 127.0.0.1 > hosts
added hosts to /etc/hosts

and finally

cd src
./runpush.sh

and I got:

PushProxy:

2014-07-25 22:47:30+0300 [#6] New connection from 127.0.0.1:55338
2014-07-25 22:47:30+0300 Unable to connect to peer: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/posixbase.py:257:_disconnectSelectable
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/tcp.py:279:readConnectionLost
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/internet/tcp.py:299:connectionLost
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/protocols/tls.py:462:connectionLost
--- <exception caught here> ---
/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/twisted/protocols/tls.py:358:_flushReceiveBIO

Console:

7/25/14 22:46:36.832 apsd[92872]: <APSCUTPowerAssertion: 0x7fe45045f720>: Failed to create power assertion com.apple.apsd-connectionestablish-push.apple.com result = -536870207
7/25/14 22:46:36.843 apsd[92872]: <APSCUTPowerAssertion: 0x7fe450549050>: Failed to create power assertion com.apple.apsd-connectionestablish-push.apple.com result = -536870207
7/25/14 22:46:36.845 apsd[92872]: <APSCUTPowerAssertion: 0x7fe450435600>: Failed to create power assertion com.apple.apsd-connectinguser-push.apple.com result = -536870207
7/25/14 22:46:36.849 apsd[92872]: Failed to evaluate trust: No error. (0), result=5; retrying with revocation checking optional
7/25/14 22:46:36.851 apsd[92872]: Failed to evaluate trust: No error. (0), result=5; retrying with system roots
7/25/14 22:46:36.852 apsd[92872]: Failed to evaluate trust: No error. (0), result=5
7/25/14 22:46:36.852 apsd[92872]: Untrusted peer, closing connection immediately

Charles Proxy:
https://www.dropbox.com/s/bkrlvghq1p6vmj8/Screenshot%202014-07-25%2022.50.47.png

OpenSSL:

openssl s_client -connect 127.0.0.1:5223 -prexit -CAfile my_cert/rootCA/rootCAcert.pem
CONNECTED(00000003)
depth=2 /C=US/ST=California/O=Apple Inc./CN=root12.apple.com
verify return:1
depth=1 /C=US/ST=California/O=Apple Inc./CN=second.apple.com
verify return:1
depth=0 /C=US/ST=California/O=Apple Inc./CN=courier.push.apple.com
verify return:1
93099:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-51/src/ssl/s3_pkt.c:1125:SSL alert number 40
93099:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-51/src/ssl/s23_lib.c:182:

---
Certificate chain
 0 s:/C=US/ST=California/O=Apple Inc./CN=courier.push.apple.com
   i:/C=US/ST=California/O=Apple Inc./CN=second.apple.com
 1 s:/C=US/ST=California/O=Apple Inc./CN=second.apple.com
   i:/C=US/ST=California/O=Apple Inc./CN=root12.apple.com

---
Server certificate
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=Apple Inc./CN=courier.push.apple.com
issuer=/C=US/ST=California/O=Apple Inc./CN=second.apple.com

---
No client certificate CA names sent

---
SSL handshake has read 1544 bytes and written 210 bytes

---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 7A41F7EAFCA6E1628E72C37E0DAC5207D4723FD23575ACC1F15F86680BFBF2BB
    Session-ID-ctx: 
    Master-Key: C0994638E5B1391F83863B37504F55B6EAF6F3C1AA2586AEFFE07BDF14B424D7D4D82FD5B5475475B62610756EC14A2E
    Key-Arg   : None
    Start Time: 1406318733
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

---

Thanks in advance!

First, damned cool that you figured all this out. Just wish I could make it work. :)

My iPad is reaching the pushproxy host/port. I simply used the /etc/hosts method, so there's still the DNS wildcard lookup to push.apple.com, but that's moot 'cause all the xxx.courier.push.apple.com entries in hosts, correct? I don't need to modify the push daemon on the device or my host (OSX 10.8), correct? (the README is a little vague on that...)

So as I said, it reaches the proxy, but can't complete the connection. On the server side, I get:

2012-09-07 11:37:09-0400 [InterceptServer (TLSMemoryBIOProtocol),2,172.17.1.65] 
Unable to connect to peer: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: 
[('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]

followed by some traceback records through twisted (posixbase, tcp, tcp, tls, and finally the exception caught in twisted/protocols/tls.py:352:_flushReceiveBIO).

On the client (the iPad), I see:

Sep  7 11:33:35 David-Schuetzs-iPad apsd[85] <Warning>: 
<APSCourier: 0xd60a0f0>: Stream error occurred for <APSTCPStream: 0xd61b1f0>: 
TLS Error Code=-9807 "invalid certificate chain"

I've also tried simply using openssl s_server (using the server.pem cert, naturally):

  bad gethostbyaddr
  SSL_accept:before/accept initialization
  SSL_accept:SSLv3 read client hello A
  SSL_accept:SSLv3 write server hello A
  SSL_accept:SSLv3 write certificate A
  SSL_accept:SSLv3 write server done A
  SSL_accept:SSLv3 flush data
  SSL_accept:failed in SSLv3 read client certificate A
  ERROR

I've read elsewhere that the gethostbyaddr can be ignored, and that the error in the client certificate may be ambiguous (just that this is where the failure occurred -- in this case, it seems likely because the client rejected the connection because of the certificate chain issue).

To create the server certificate, once used Keychain, making a self-signed root SSL Server cert, and another time I used OpenSSL (using a script I've used successfully for MDM server research). The OpenSSL route involves creating a self-signed CA, then using that to sign the server cert. I've tried it both with "bogus" parameters in the CA (for state, city, ou, etc.), and another time I tried to replicate the relevant paramaters using data in the Apple CA cert extracted from the device.

In all cases, I installed the server cert, or the self-signed CA, or the CA and the server cert, on the local device by firing up an in-place one-line python HTTP sever and tapping on the appropriate certificate file (which launches Settings app and installs the cert). When installing just the Keychain-generated server cert, it subsequently shows in settings as "not trusted," but when using the CA and server cert, they both show as trusted.

So I'm reasonably confident that all my certificates are correct, as well.

I've even tried disabling certificate pinning, in case the apsd process is trying to go farther than simply verifying a good chain (in case it has to be the RIGHT chain). (I used the new iSEC Partners "ios-ssl-kill-switch" mobile substrate hook). That didn't work, either -- but, if pinning is the problem, it's possible that the apsd isn't affected by this substrate hack.

Any thoughts? I'm on iOS 5.0.1, iPad 2, AT&T (inactive SIM, so no 3G).

Thanks!

I understood that you read all the message structure, and rewrite it to Apple..
I am trying to build a message sender from a cloud service using one ID, device token, phone certificates and whatever.

Do you think that is possible to do it? Or something just can be done at device?

Thanks in advance,

Is there any other way to get the iPhone's private key？（iPhone is no jailbreak）

Hi there,

I can't seem to get this working. ;-[ Could you post a log dump of the push notifications being sent by iCloud when you use Find My Phone 'Play Sound' and 'Lost Mode' features?