CRL and OCSP behavior of iOS / Security.Framework?

Question

I\'m trying to figure out what iOS\' policy is when verifying certificates using Security.Framework regarding revocation of certificates. I cannot find information about thi

Answer 1

I have an answer to this question by Apple guys, I posted the full answer here:

Details on SSL/TLS certificate revocation mechanisms on iOS

To sum it up, there are several things to keep in mind for OCSP implementation on iOS:

• OCSP policy cannot be configured at this moment
• it works for the EV certificates only
• high-level stuff, such as NSURLConnection or UIWebView use TLS security policy, which uses OCSP
• SecTrustEvaluate is a blocking network operation
• it works the "best attempt" - if OCSP server cannot be contacted, the trust evaluation will not fail