iOS 18 breaks IMAPS self-signed certs

Original Article ↗ Hacker News Discussion ↗

Bug / Regression Behavior

  • iOS 18 reportedly breaks IMAPS connections using self‑signed server certs that were previously accepted after manual trust.
  • Issue appears specific to IMAP; some report calendars/notes still working with the same self‑signed cert.
  • Some users also report problems with Let’s Encrypt–signed mail certs under iOS 18, sometimes interacting with TLS version/cipher choices (e.g., TLS 1.3 vs 1.2).
  • macOS Mail continues to work with the same setups that fail on iOS 18.

Workarounds and Configuration Approaches

  • Many recommend switching to public CA certs (often Let’s Encrypt) and using:
    • DNS-01 ACME challenges so hosts don’t need to be publicly reachable.
    • Internal DNS or hosts files to map internal IPs to domain names.
  • Others describe using a private CA:
    • Generate a root CA, install it on iOS via configuration profile, and sign mail server certs with it.
    • Reports indicate this continues to work on iOS 18 for IMAP.
  • Some point out complications with home routers (DNS rebinding protections), Android’s more limited user-CA trust for apps, and general PKI complexity for non‑experts.

Self‑Signed vs Private CA vs Public PKI

  • One camp argues self‑signed certs (especially TOFU/pinned) are reasonable or more trustworthy than the public CA ecosystem, especially for single‑user, internal servers.
  • Another camp calls direct self‑signed use “lazy” or unsafe:
    • Users tend to click through trust prompts.
    • Private CAs allow revocation (CRL/OCSP), easier rotation, and centralized management.
  • Several clarify the distinction between:
    • A raw self‑signed leaf cert, and
    • A private root CA (also self‑signed) used to sign normal leaf certs.

Security Model and Threats

  • Debate over whether public PKI or TOFU better matches typical threat models.
  • Concerns raised about CA misissuance, certificate transparency coverage, and nation‑state MITM capabilities.
  • Others counter that rejecting PKI entirely is impractical for email, given SMTP’s reliance on it.

Apple’s UX and Policy

  • Frustration that Apple appears to have removed or broken self‑signed support without warning or a deprecation path.
  • Some see this as improving secure defaults for non‑technical users; others view it as hostile to self‑hosting and advanced configurations.

Related Tangents

  • Questions about iOS Mail supporting client certs or self‑hosted MFA.
  • Complaints about other Mail quirks, e.g., IDN sender addresses failing on iOS but not macOS.